Federal Reports

Memorandum to the Chairman of the Railroad Retirement Board regarding OIG's fiscal year 2025 risk assessments for the Government Charge Card abuse Prevention Act of 2012.                

The VA OIG conducts information security inspections to assess whether VA facilities meet federal security requirements. The OIG followed up on an inspection it conducted at the VA Beckley Healthcare System in West Virginia in 2023.
During this follow-up inspection, the OIG identified substantial progress in addressing prior recommendations, and some continued deficiencies in configuration management, security management, and access controls.

For configuration management, the team identified one deficiency over vulnerability remediation: the healthcare system did not meet required timelines for addressing critical vulnerabilities and lacked necessary remediation plans, leaving outdated software on numerous systems. Additionally, the OIG identified several unique high and critical vulnerabilities within the network that were not reflected in the agency’s standard vulnerability reports.

The healthcare system had deficiencies in three security management controls: a special-purpose system lacked authorization to operate; a special-purpose system had inappropriate security categorizations; and staff had administrative access and a lack of separation of duties for managing a pharmacy inventory system.

Finally, the healthcare system had deficiencies in physical controls restricting access to computer rooms, although the facility was addressing these deficiencies. The team also found that the facility was not monitoring the destruction of temporary records as required.

The OIG made three recommendations to the assistant secretary of information and technology, who also serves as the chief information officer, and two recommendations to the Beckley VA Medical Center director. VA concurred with four recommendations and did not concur with one. Nevertheless, the OIG noted VA provided sufficient evidence of implementation for four of the recommendations (including the one VA did not concur with) and considers those recommendations closed. The OIG will monitor implementation of the remaining recommendation.

Why We Did This Report

The OIG conducted this audit to determine whether the EPA appropriately identified and resolved improper payments during its annual review of the State Revolving Fund Program.
 

Summary of Findings

The EPA did not appropriately identify unknown and improper payments or properly track them for reporting and resolution, which resulted in the Agency’s regions underreporting unknown and improper payments by approximately $54.4 million for fiscal year 2022 and $8.8 million for fiscal year 2023 for the transactions we reviewed.

Semiannual Report to Congress, highlighting the activities and accomplishments of the U.S. AbilityOne Commission Office of Inspector General from April 1, 2025, through September 30, 2025.

The VA Office of Inspector General (OIG) conducted an inspection to evaluate allegations concerning patients’ data security and related oversight practices within the national cancer prevention, treatment, and research program and Office of Research & Development (ORD). The OIG identified additional concerns related to a Veterans Health Administration (VHA) project not submitted to an Institutional Review Board (IRB) and the process for reviewing a protected health information (PHI) breach.

The OIG did not substantiate that the national cancer prevention, treatment, and research program Executive Director categorized projects as operational to bypass IRB review. However, the OIG found that a collaborative project between VHA and non-VHA investigators was not submitted to a VHA IRB for approval. 

The OIG substantiated that the Executive Director of Operations for a national cancer testing program and project staff did not deidentify a data file before sharing with non-VHA investigators. The OIG review of the data file found a significant amount of data containing PHI. The Executive Director of Operations also did not recognize the extent of PHI disclosed. 

The OIG did not substantiate that the Executive Director of Operations for a national cancer testing program and an ORD privacy officer did not take action to review privacy concerns of a potential breach of PHI (privacy event). However, the privacy officer did not enter the privacy event into the tracking system or report the event to a VHA privacy officer timely. The Data Breach Response Service director reviewed the privacy event and determined it was not a data breach.

The OIG made six recommendations for VHA to ensure IRB review of the project and corrective actions address issues for determination of research project designation, privacy reporting and data disclosure, and national cancer prevention, treatment and research program staff receive training on IRB submission and privacy requirements.

Letter to the Office of Management and Budget regarding Office of Inspector General's Fiscal Year 2025 risk assessment for the Government Charge Card Abuse Prevention Act of 2012.