False Statements and Concealment of Material Information by VA Information Technology Staff

Before the CRADA was executed, VA privacy experts informed the two VA employees that the terms of the proposed CRADA raised regulatory concerns that needed to be addressed before approval. Despite the privacy experts’ objections, the two VA employees intentionally failed to disclose the unresolved privacy issues to the approving official. They also falsely represented that all reviews, including privacy, information security, and legal, had been completed—implying that any identified issues had been addressed and resolved. The OIG concluded that the approving official relied on the information received from the two VA employees and was led to approve the CRADA under false pretenses. As a result of the two VA employees’ actions, the health data of tens of millions of veterans would have been placed at risk of disclosure if VA officials had not detected a problem and cancelled the CRADA before information was shared with the private company. The matter was declined for prosecution. The OIG made two recommendations related to determining what administrative action, if any, VA should take with respect to the two employees’ conduct.