Federal Reports

The VA Office of Inspector General (OIG) conducted a healthcare inspection to assess sustained performance of actions taken to close previous OIG recommendations at the Veterans Crisis Line (VCL) located in Canandaigua, New York; Atlanta, Georgia; and Topeka, Kansas. VCL is a crisis hotline providing services to veterans, service members, and their families members. VCL plays a significant role in VHA’s suicide prevention efforts. OIG staff evaluated areas of concern identified in two previous OIG VCL reports, published in 2016 and 2017, related to governance structure and oversight, operations, and quality management. The OIG found that VCL sustained actions related to previous recommendations. Clinical oversight of VCL was improved as a result of VCL’s realignment under the Office of Mental Health and Suicide Prevention. VCL hired a permanent director and operated under a directive that formalized operations guidance. VCL sustained improved operations processes, reduced rollover calls to the backup center, decreased the number of backup centers, and improved backup center oversight. VCL increased staffing at its Atlanta location and ensured that new responders participated in standardized training. VCL sustained actions to address previous concerns related to quality management leadership training, policies, and processes. Quality management reports showed improvements in oversight, tracking and trending of VCL quality indicators by site, and analysis of adverse outcomes. Responder silent monitoring was implemented at all sites. Plans were in place to expand the roles of social service assistants. During the current review, OIG staff found that VCL needed to analyze and address issues affecting rescue efforts, in which emergency services are dispatched to the location of a person determined to be in imminent danger. The OIG made one new recommendation related to improving location determination of veteran callers who need rescue.

The VA Office of Inspector General (OIG) conducted an inspection in response to episodes of non-adherence to Veterans Health Administration (VHA) and VA policies on patient information privacy and security at the Tibor Rubin VA Medical Center, Long Beach, California. After a VA computer update, a facility diagnostic device no longer interfaced with VHA patients’ electronic health records. A facility provider developed and implemented two workarounds to continue using the device. The workarounds were not in accordance with VHA and VA privacy and security policies and included using personal emails, a laptop, a non-encrypted flash drive, and electronic storage that were not approved by the VA. The OIG determined that the facility security and privacy staff mitigated the use of the workarounds and deleted the emails and information from the personal devices. However, issues with staff text messages were not addressed and, according to VA policy, the unencrypted personal emails and text messages did not meet the VA matrix criteria for a breach. The OIG concluded that patient sensitive personal information was at risk for disclosure to outside sources. Although the VA handbook that addressed matrix guidance for sensitive personal information incidents and events was revised on March 29, 2019, it did not address issues identified in this report. The OIG determined that 133 patients had sensitive personal information stored in unencrypted emails or text messages. In addition, facility staff used prohibited logbooks to track patient information and testing equipment. The OIG made one recommendation to the VA Assistant Secretary for Information and Technology and five recommendations to the Facility Director related to communication and education, disclosure of protected patient information, VA policy review, and compliance with the use of logbooks.

The Pleasant Hill Station has 38 city and seven rural routes delivered by 57 city carriers (50 full-time regular city carriers and seven city carrier associates) and seven rural carriers. We selected the Pleasant Hill Station based on our analysis of carriers returning after 6:00 p.m. data from the Enterprise Data Warehouse (EDW). The objective of this audit was to assess mail delivery service at Pleasant Hill Station – Des Moines, IA.

The National Credit Union Administration (NCUA) Office of Inspector General conducted this self-initiated audit to further assess NCUA’s Information Technology examination program. The objective of our audit was to determine whether the NCUA Office of National Examinations and Supervision (ONES) provides for adequate oversight of its credit unions’ cybersecurity programs to assess whether the credit unions are taking sufficient and appropriate measures to protect the confidentiality, availability, and integrity of credit union assets and sensitive credit union data against cyber-attacks.