Get Started Now! Get Your Credit Repair Do It Yourself!!

VA put millions of people, including doctors, at risk of identity theft, agency audit finds

New IdentityTheft Scam

The Department of Veterans Affairs (VA) put millions of people, including medical professionals, at risk of identity theft by disclosing their social security numbers in copies of veterans’ benefits claims, an agency audit found.

When responding to veterans’ requests for copies of their medical benefits claims, the VA failed to redact personally identifiable information of other service members and doctors treating the veteran, according to a report from the VA Office of Inspector General (OIG). That information included names and social security numbers.

The failure to delete other people’s personal information on those records goes back to a policy put in place in May 2016, the OIG report said.


On The Front Lines: How Payers Can Combat The Opioid Epidemic

What will it take to solve the opioid epidemic? In this webinar, we’ll share real-world strategies and best practices for health insurance leaders on the front lines and explore what’s working and how to overcome common challenges.

“The May 2016 policy change did not require third parties to be notified when their information was released, meaning individuals at risk of identity theft might not be aware of that risk,” the VA OIG report said.

The Inspector General reviewed a random sample of 30 out of about 65,600 Privacy Act requests that the Veterans Benefits Administration’s (VBA) Records Management Center, a sub-agency of the VA, completed from April 1, 2018, through September 30, 2018.

That review found 1,027 unrelated third party names and social security numbers in records that VBA purposely included in requesters’ claims files.

RELATED: Dental practice pays $10K to settle complaint it disclosed patient information on Yelp

In one example, VA staff sent a disc to a veteran who requested his records, and the disc contained the names and social security numbers of 197 other individuals, including medical professionals in the veteran’s medical records.

Before May 2016, VBA’s policy required staff to limit disclosure to information that pertained only to the requester, and staff were required to redact third-party information. To do this, staff conducted a page-by-page review of requested records and used software to block out the third-party information, according to the audit.

Three years ago, the Veterans Benefits Administration changed its policy to stop redacting that information because the process was slowing down the department’s ability to respond to records’ requests. In less than two years, the VBA’s backlog of records requests grew from 10,000 to 70,000 with the average response time almost doubling to 150 days. That also resulted in a growing number of appeals and litigation.

The requirement to redact third-party information was a major factor in the delays, the department told the Office of General Counsel. The department also wanted to improve veterans’ electronic access to their records and the release policy needed to change because it was not feasible to review and redact millions of records, the report said.

VA’s legal counsel decided there was legal support for the policy change although noted there were some “inherent risks” and even said potential harm from misuse of such information “could be substantial,” the report said.

RELATED: More than 70% of hospital data breaches compromise information that puts patients at risk of identity theft

VA and VBA officials with roles specifically related to privacy also expressed serious concerns that the policy change was “inappropriate” and does not protect third-party personally identifiable information, but department leadership went ahead with the policy change.

Since the policy change in May 2016, the VA responded to about 379,000 records requests. Based on the volume of third-party personally identifiable information found in the sample of responses the OIG reviewed, the VA could have already released millions of third parties’ names and social security numbers, according to the audit.

The VA also did not encrypt or password protect the discs that were mailed to the requesters, creating a risk of identity theft if those discs were lost, sent to the wrong recipient or stolen, the report said.

The department did not consider the disclosures to be data breaches because it was allowed under the VA’s records release policy.

The VA has since revised its policy, in effect Oct. 1, to again require that personal information on third parties be redacted.

“VA is committed to providing Veterans prompt access to their claim records increasing transparency and improving customer service,” VA Secretary Robert Wilkie said in a statement about the recent policy change. “It’s imperative that we protect files containing sensitive and personal information.

Under this new process, VA does not anticipate delays in forwarding copies of claims files to Veterans or their designated representatives, the department said.

Source: on 2019-11-22 16:45:00

Read More At Source Site

Add a Comment

Your email address will not be published. Required fields are marked *

52 − 43 =