VA’s release of certain records to veterans under the Privacy Act in a recent three-year period imperiled the privacy of third parties whose personal information was in those records, according to an IG report.
It said that between May 2016 and October of this year the VA followed a policy of not redacting from veterans benefits claims records the names and Social Security numbers of other persons included in those files, which veterans or their representatives may demand under the Privacy Act.
The reason the VA stopped culling out that information in 2016, it said, was that the task was deemed to be slowing down the process, contributing to a growing backlog of such requests. The department returned to its original policy after being briefed on the IG’s findings.
Those findings included that in a random sample of 30 responses, names and Social Security numbers of 1,027 other persons were found in 18—including other persons named in military orders or in medical records from uniformed service, as well as records of other veterans that were misfiled in the requester’s file. From that, the IG projected that the total number of third-party persons potentially affected could be in the millions.
Those persons were not notified and offered identity theft protection services as they might have been if the same had happened under the pre-May 2016 policy, VA officials told the auditors. The information was primarily included on computer disks which were not encrypted or password-protected, the report added.