Hundreds of Wisconsin veterans' Social Security Numbers were shared inappropriately last April because the U.S. Department of Veterans Affairs "did not have adequate processes and information security controls in place," according to a report issued on Thursday by the department's inspector general.
An email with the SSNs of 638 Wisconsin veterans was sent by an employee at the Wisconsin Department of Veterans Affairs to a Madison-area veteran, who should not have received the file containing that information. He was subsequently sued by the State of Wisconsin for not immediately agreeing to scrub his computer of all the information related to that email and those SSNs.
Federal investigators began looking into the matter last November after a series of News 3 stories drew the attention of both U.S. Sen. Tammy Baldwin, D-Wisconsin, and U.S. Sen. Ron Johnson, R-Wisconsin.
Both have been critical of the VA's response to the matter, which as recently as February and again in September, insisted this was a one-time case of human error. However, the Inspector General's Office disagreed.
"The VA Office of Information and Technology did not adequately configure VA's information security filtering software to block the dissemination of unencrypted sensitive data before releasing information to (the Wisconsin Department of Veterans Affairs)," the report read. "As a result, VA put Wisconsin veterans' PII (personally identifiable information) at unnecessary risk of interception and misuse.
"We recommend (the VA) improve VA's email security filtering software controls, establish formal agreements with third-party organizations, evaluate whether permanent encryption controls are needed for non-VA employees with VA accounts, and conduct reviews of processes and controls at VAROs collaborating with third party organizations, to ensure security of sensitive veterans' information."
Federal privacy laws and multiple VA regulations require all emails with personally identifiable information to be password protected, which the April 1, 2015, email was not. News 3 saw at least three other emails sent by the WDVA where SSNs were not password protected.
VA Secretary Robert McDonald told Baldwin in a committee hearing in March that the VA would change its software to flag all emails with nine-digit numbers and not just those nine-digit sequences separated by dashes. In the U.S. military since Vietnam, veterans' file numbers, their identification numbers, have been their Social Security Numbers without dashes to separate the numbers.
Baldwin sent McDonald a letter Thursday insisting the department take immediate action to protect veterans' personal information. In her note, she also stressed she would continue to pursue the Veterans Identity Theft Protection Act, which is bipartisan legislation that prohibits the VA from using Social Security Numbers to identify veterans in their system.
“Today’s inspector general report reveals that veterans’ Social Security Numbers are still at risk, not just in Wisconsin, but across the nation," she wrote in an email to News 3. "The VA needs to take responsibility for falling short and fix these problems. Putting our veterans at risk of identity theft with information they have entrusted to the VA is totally unacceptable.”
The inspector general report was also critical of the WDVA's security procedures, stating that "WDVA’s method of information sharing with third parties left veterans’ PII vulnerable to potential unauthorized access, loss, or disclosure. WDVA also did not have adequate processes and procedures for transmitting veterans’ PII to third-party organizations."
Further, it criticized WDVA for incorrectly determining that the email with the SSNs was sent because the federal VA email system "malfunctioned," when in reality, the system had been manually disabled by a WDVA administrator to send it, not just to the Madison veteran who was not supposed to receive it, but also to an additional 68 people who were not authorized to receive that information. That administrator has since been let go."
The inspector general determined the WDVA had been sending veterans SSNs and disability claim information to unaccredited people since 2014.
Johnson said he was satisfied with the fixes the VA had already made to further protect veterans' identities.
"When concerns regarding the improper transmission of Wisconsin veterans' personally identifiable information were brought to my office, I demanded accountability from the U.S. Department of Veterans Affairs," Johnson said in an email to News 3. "In response to my request, the VA implemented changes to its systems to better protect veterans' information. I will continue to hold the VA accountable to safeguard veterans' personal information."