VA disputes charge that it transmits unencrypted personal data over public Internet

Investigation by Inspector General's office finds that VA centers don't encrypt personal data during transmission to other offices

The Office of Information Technology at the U.S. Department of Veterans Affairs has disputed a finding by the agency's Inspector General that several VA centers routinely transmit unencrypted sensitive personal data over the public Internet.

The probe by the IG's office was launched following a complaint last year that three VA Medical Centers in the Midwest Health Care Network were transmitting personally identifiable information over unencrypted telecommunications carrier networks.

The investigation found the allegations to be true, said VA assistant inspector general for audit and evaluations Linda Halliday in a report released this week.

Investigators from the IG's office visited the three VA medical centers cited in the complaint. They centers are located in Fort Meade and Sioux Falls, S.D., and in Omaha, Neb.

The IG's office discovered that unencrypted sensitive information, including names, Social Security Numbers, dates of birth, and protected health information of veterans and their dependents, were sent from the targeted VA centers to other VA facilities, the report said.

In addition, the two facilities in South Dakota regularly used the same unencrypted telecommunications carrier network to transmit sensitive data such as x-rays and other radiographic patient images to external organizations.

IT staff at the VA centers told investigators that sending unencrypted sensitive data to other VA centers and to outside business partners was a common practice at more than just the three centers involved in the probe.

The transmission of unencrypted personal data violates internal VA security rules and does not satisfy Federal Information Security Management Act requirements. "Despite VA and [FISMA] requirements, VA has not implemented a configuration control that would ensure encryption of sensitive data," the report said.

"Unencrypted sensitive VA data could be used to perpetrate various types of fraud, including tax fraud," the report cautioned.

The report called on the VA to immediately implement encryption controls to protect data during transmission.

Roger Baker, VA assistant secretary for information and technology, rejected the IG's assertions.

He contended that personally identifiable information is not transmitted in the clear by any VA center.

Baker said the carrier networks used by the VA to transmit sensitive data to are completely segmented and not exposed to the public Internet. The VA, he said, uses a Multiprotocol Label Switching (MPLS) service from its carriers to ensure it has a private and segmented network for transmitting data.

"These carrier services provide VA with a private network and do not place traffic on the Internet," he said.

Baker conceded that the network links investigated by the IG's office were not using encryption but insisted the data was not traversing the public Internet.

When the complaint reached the VA last year, the agency's IT team inspected the communications circuits that were involved, reviewed all associated network equipment and interviewed network administrators, Baker said. "All of the findings conclusively substantiated that traffic is traversing only VA's private network," he said

Even so, the VA's IT organization has initiated a comprehensive review to ensure that sensitive data is being routed in a secure manner, he noted.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is

Read more about government it in Computerworld's Government IT Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Government ITsecurityU.S. Department of Veterans Affairsprivacy

More about Government ITOffice of Information TechnologyTechnologyTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts