The Obama administration’s Department of Veterans Affairs (VA) knew that a breach of veterans’ personal information was “practically unavoidable” months before it happened in January, according to an internal VA risk assessment that also said the department’s security programs are “non-compliant” with three federal laws.
House Veterans Affairs chairman Rep. Jeff Miller recently wrote a letter demanding VA secretary Eric Shinseki take steps to address software glitches like the kind that plagued the department’s eBenefits portal, which in January exposed the “medical and financial information” of more than 5,000 veterans to anyone able to log on to the portal.
This breach came as no surprise to VA.
“It is practically unavoidable that a data breach to financial, medical, and personal Veteran and employee protected information may occur within the next 12 to 18 months, with no way of tracking the source of the breach,” according to the redacted July 2, 2013 VA security risk assessment obtained by The Daily Caller.
“As such it is practically unavoidable that the VA cannot ensure the safety and privacy of Veteran and employee healthcare, benefits, and financial information and is non-compliant with its own privacy and security policies and with federal laws and regulations (HIPAA Security Role, FISMA, and Fiscal Integrity Act). The result will be a significant possibility that inappropriate record access may cause unintended exposure of Veteran and employee protected information resulting in litigation, Congressional scrutiny, fines, and settlements,” according to the assessment.
A VA spokesman previously told The Daily Caller that it “reinforced its security posture” and that the “defect had been remedied,” but Miller’s letter stated that “these types of breaches continue to occur on a regular basis at the VA.”