DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

VA routinely transmitted sensitive information over unencrypted network – OIG. No, we didn't – OIT.

Posted on March 7, 2013 by Dissent

A report released yesterday by the Office of the Inspector General (OIG) for the Department of Veterans Affairs indicates that they substantiated allegations that the VA was routinely transmitting sensitive information, including PII, PHI, and internal network routing information, over an unencrypted telecom carrier network. The Office of Information and Technology (OIT) disputes their findings, however.

From the OIG report, the background of the investigation:

The VA Midwest Health Care Network, also known as the Veterans Integrated Service Network (VISN) 23 within the Veterans Health Administration, serves more than 400,000 veterans enrolled to receive medical care residing in Iowa, Minnesota, Nebraska, North Dakota, South Dakota and portions of Illinois, Kansas, Missouri, Wisconsin, and Wyoming.

In May 2012, a complainant contacted the VA Office of Inspector General (OIG) Hotline, alleging that certain VA medical centers (VAMCs) were transmitting sensitive information, including PII and internal network routing information, over unencrypted telecommunications carrier networks. More specifically, the complainant indicated that unencrypted data were transmitted among various VAMC networks using the South Dakota Network, which functions as the local telecommunications carrier network.

The complainant alleged that these security violations occurred at VAMCs located in Fort Meade, SD; Omaha, NE; and Sioux Falls, SD, which are in VISN 23.

The allegations were  reportedly substantiated:

Office of Information and Technology (OIT) personnel disclosed that VA typically transferred unencrypted sensitive data, such as electronic health records and internal Internet protocol addresses, among certain VA medical centers and Community Based Outpatient Clinics (CBOCs) using an unencrypted telecommunications carrier network.

The sensitive information included:

veterans’ and dependents’ names, Social Security numbers, dates of birth, and protected health information. The data also included the Veterans Health Information Systems and Technology Architecture’s electronic health records and internal Internet protocol addresses.

We also noted that the Sioux Falls and Fort Meade VA medical facilities regularly used unencrypted telecommunications carrier networks to transmit unencrypted sensitive data to external organizations providing remote Teleradiology services. Teleradiology services involve electronically sending radiographic patient images, such as X-rays, and sensitive patient information from one location to another for the purpose of interpretation and/or consultation with radiologists.

Disturbingly, OIT personnel stated that:

sending unencrypted sensitive data to outpatient clinics and external business partners was a common practice at facilities across VA (emphasis added by PHIprivacy.net). OIT management acknowledged this practice and formally accepted the security risk of potentially losing or misusing the sensitive information exchanged via a waiver; however, the use of a system security waiver was not appropriate.

I wonder if every veteran whose health or other sensitive information was transmitted insecurely would have agreed to accept the risks.

Not surprisingly, the OIG report recommends encryption and training of OIT personnel on the importance of encrypting sensitive information.

The OIT disagreed with the OIG’s findings:

OIT does not agree with the assertion that PII and internal network routing information are being transmitted over unsecured Internet connections. OIT employs service offerings from industry telecommunications carriers that are privately segmented from other public traffic and that secure internal routing information from exposure to unauthorized entities. These carrier services provide VA with a private network and do not place traffic on the Internet. It is necessary, in serving our Veterans, to transmit PII. The network links in question are not currently employing encryption but these transmissions are crossing only the private VA network and are not exposed to or traversing the Internet.

After learning of the allegation, OIT immediately engaged in a comprehensive review of the locations where the complaints were focused and subsequently determined that the allegation is unsubstantiated. The review was conducted utilizing subject matter experts from outside of the geography and organization in the report. The communications circuits in the geography in question were inspected, the configuration of the associated network equipment was reviewed, and the network administrators were interviewed. All of the findings conclusively substantiated that traffic is traversing only VA’s private network and is not utilizing the Internet, or otherwise publicly exposed, in any way. The telecommunications carrier for these communications links was also interviewed to validate the nature and configuration of their service offering. The carrier confirmed that the communications links in questions are private Multiprotocol Label Switching (MPLS) that provide a secure, privately segmented network to VA. A letter from the telecommunications carrier is also attached.

Also attached is a technical explanation and diagrams demonstrating how sensitive information is routed between VA facilities. Although VA does not concur with the Inspector General’s findings in this area, OIT has initiated a review to ensure that the current practice described in the aforementioned technical documentation is being consistently applied across the VA enterprise, and if exposures are found, OIT will correct those exposures without hesitation.

So did the OIG get their findings wrong? If so, that’s a pretty big mistake that would make me question whether the OIG is competent to really investigate IT security.

You can read the full report here.

Category: Uncategorized

Post navigation

← HIPAA and state law privacy claims stand while medical malpractice claim falls
$250,000 penalty issued to Lucile Packard Children's Hospital was an error – CDPH →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.
  • Websites selling hacking tools to cybercriminals seized
  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database
  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.