WASHINGTON — A Department of Veterans Affairs office in Atlanta that determines health care coverage for veterans failed to encrypt the records of more than 3 million former service members, ran outdated computer programs not securely configured and permitted unauthorized software on its networks, according to an audit.
A report issued Wednesday by the VA Office of Inspector General cited security lapses at the Health Eligibility Center that have led to weaknesses in the computer system and made records vulnerable to unauthorized access, modification and destruction.
The Health Eligibility Center determines health care benefits for veterans. When files are encrypted, attackers cannot use the data without a key that translates stored electronic data into information that is legible and can be read.
“Although the findings and recommendations in this report are specific to the [Health Eligibility Center], other VA facilities could benefit from reviewing this information and considering these recommendations,” inspectors wrote in the report.
Inspectors said they chose the Health Eligibility Center in Atlanta because it previously had deficiencies in a fiscal 2022 audit.
Without critical controls in place, VA computer systems are susceptible to attack by individuals seeking access to sensitive information and to interfere with operations, the inspectors said.
“A cyberattack could disrupt access to, destroy or allow malicious control of personal information belonging to VA patients, dependents, beneficiaries, employees, contractors or volunteers,” according to the report.
The report stated the VA employs about 400,000 people across the agency who have varying levels of access to its computer system. Another 100,000 contractors with government-furnished technology equipment also have access.
Terrence Hayes, the VA press secretary, said Thursday that VA’s central office in Washington, D.C., has taken steps to ensure records are encrypted and secured at the Health Eligibility Center.
“We have decommissioned this server, and it is no longer storing, processing or transmitting any sensitive data,” he said.
Under the Health Insurance Portability and Accountability Act, commonly known as HIPAA, which protects the privacy and security of health information, organizations must implement an alternative, equivalent security measure if they opt not to encrypt protected information.
The Health Eligibility Center has an annual budget of $54 million and operates within the VA Atlanta Health Care system, determining benefits and managing enrollment. The staff made eligibility decisions on more than 600,000 requests in fiscal 2023, the report said.
“Every health care applicant must deliver physical paper records — or send them via fax machine. These documents are scanned into a computer application so that staff can review and determine eligibility for benefits,” according to the report.
The audit found the center has yet to demonstrate that it can identify and fix computer vulnerabilities in a timely manner.
Inspectors found 91% of computer servers had software configuration settings that did not meet baseline security requirements.
“Security configuration of servers is not just a defensive strategy but a proactive one that helps protect the confidentiality, continuous availability and integrity of VA systems,” the audit said.
The inspection also found 60 different versions of unapproved software installed 169 times on the center’s computers.
“By not remediating unauthorized software, VA has no assurance that corresponding system security and privacy plans have identified appropriate security controls for all components at the facility,” the report said.