VA employees may have unlawfully accessed VP candidates’ EHRs

Employees of the Veterans Health Administration allegedly gained access to the medical records of vice presidential candidates Ohio Senator JD Vance and Minnesota Governor Tim Walz in July and August.

“We have reported to law enforcement authorities allegations that Veterans Affairs personnel may have unlawfully accessed veterans’ data,” according to a statement from VA press secretary Terrence Hayes emailed Monday.

WHY IT’S IMPORTANT

At least twelve VHA employees, including a doctor and a contractor, have viewed the candidates’ medical records WashingtonPost reported on Monday, as the candidates prepared for their Oct. 1 vice-presidential debate.

A VA spokesperson declined to verify the details, deferring questions to the Justice Department and sharing a statement from the agency.

The breaches were discovered in August during a security review of high-profile health care bills held in the VA’s electronic health records, according to the To inform story.

Walz, who ran alongside Vice President Kamala Harris on the Democratic ticket, served in the National Guard for 24 years. Vance, who ran as a Republican vice presidential candidate under former President Donald Trump, served four years in the Marine Corps and in Iraq as a combat correspondent.

CNN said an aide to VA Inspector General Michael Missal had contacted the Republican’s campaign operation in Ohio to notify it improper access to the senator’s VA health records, according to a campaign source.

The VA also provided a memorandum to all VA personnel sent by VA Secretary Denis McDonough on August 30. The “Privacy Matters” memo reiterated the agency’s privacy rules with specific guidance on data conduct and what noncompliance could result in.

“Veterans’ information should be accessed only as necessary to perform officially authorized and assigned duties as an employee, contractor, volunteer or other personnel,” McDonough said.

“Viewing a veteran’s records out of curiosity or concern – or for any purpose not directly related to officially authorized and assigned duties – is strictly prohibited.”

Violating veterans’ trust regarding their privacy and confidentiality could result in “disciplinary action, including expulsion, as well as referral to law enforcement authorities for civil penalties and criminal prosecution,” he added.

THE BIG TREND

This is not the first time that the electronic medical records of prominent figures have been unlawfully accessed. Previous high-profile patient privacy cases have included unauthorized snooping on the EHRs of celebrities like George Clooney and Kim Kardashian.

More broadly, insider threats pose a cybersecurity risk to healthcare organizations because they pose risks of exposure to protected health information, making them vulnerable to legal liability.

In 2022, the Kaiser Foundation Health Plan of the Mid-Atlantic States reported that it discovered unauthorized access to its EHR by a former employee who disclosed the patient information of more than 8,500 individuals for personal gain.

“Healthcare leaders need to understand where operational vulnerabilities exist in their organizations, from marketing through critical health records,” the Health Sector Cybersecurity Coordination Center said in a threat briefing published earlier that year.

But insider threats go beyond the risks of nefarious data theft. Some employees may not have criminal intent but may seek patient information out of curiosity or personal concern, Dr. Eric Liederman, now CEO of CyberSolutionsMD. Healthcare IT news last year.

Previously, as director of medical informatics at Kaiser Permanente, Liederman led the implementation of data system gates that he said encouraged employees to audit themselves before violating HIPAA and promoted a culture of cybersecurity in the organization.

ON THE RECORD

“We take the privacy of the veterans we serve very seriously and have strict policies in place to protect their information,” Hayes said of the recent VA incident. “Any attempt to inappropriately access veteran data by VA personnel is unacceptable and will not be tolerated.”

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

The HIMSS Healthcare Cybersecurity Forum will take place from October 31 to November 1 in Washington, DC More information and registration.