For 9 months, VA failed to post quarterly reports about patients' data

Julie Spitzer -

The Veterans Affairs Department stopped posting online quarterly reports about security breaches affecting veterans for about nine months this year, according to a Nextgov investigation.

The 2006 Veterans Benefits, Healthcare, and Information Technology Act requires VA to share the quarterly reports on data security incidents with Congress. These reports keep tallies of incidents at VA hospitals or other institutions in which veterans were sent a notification letter that their personal data may have been breached or sent an offer of credit monitoring. The reports do not include details about the type or severity of the breaches.

The VA did submit reports to Congress during the nine-month period. However, since 2010, VA has published these reports online on the department's Office of Management and Budget reporting page.

Web archives reviewed by Nextgov showed that the most recent quarterly breach report posted on the page was from the fourth quarter of 2017, which ended in September.

After Nextgov requested more information about the reports Aug. 23,  the department updated the page to display reports from the first, second and third quarters of 2018.

The reports, reviewed by Nextgov, revealed the number of notification letters the VA sent rose from 584 during the first quarter of 2018 to 3,596 during the second quarter. During the third quarter, the number of letters dropped to 929. The number of credit protection letters rose from 1,059 during the first quarter to 1,712 during the second quarter and to 2,566 during the third quarter.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.