An inspector general audit has found that a VA system for tracking work requests in the Veterans Benefits Administration did not adequately protect personal information of employees making those requests.
The audit followed a hotline tip regarding the Mission Accountability Support Tracker for requests including those for facility, equipment and vehicle management, for reasonable accommodations in the workplace, and for ID cards. The system receives and tracks the status of such requests and stores information on the requester including names, phone numbers, email addresses and Social Security numbers.
However, the report said that on the program’s launch in 2020, the VA “incorrectly concluded a privacy impact assessment was not necessary” which resulted in “inadequate security controls for the sensitivity of its information.” Further, some staff at regional offices added information on requesters such as home addresses and dates of birth not needed for the system.
After a change to the system in late 2021, though, such an assessment was done and the system was reclassified in a way requiring higher security controls.
“It is important that all new systems and applications undergo the appropriate security accreditation and certification process to ensure the necessary privacy controls are implemented,” the IG said.
It added that has issued a series of reports finding information security problems involving personal information, saying the department “has not consistently implemented components of its own agencywide information security risk management program. Failure to do so leaves sensitive personal information inadequately protected.”