Federal Reports

During the week of January 5, 2026, we performed a self-initiated audit at the Shreveport Processing and Distribution Center (P&DC) and Package Support Annex (PSA), and three delivery units serviced by the P&DC and PSA. The delivery units included Huntington Station and Southfield Station in Shreveport, LA and Plantation Station in Bossier City, LA.  

We issued individual reports for the three delivery units and one report for the P&DC and PSA. We also issued another report summarizing the results of our audits at all three delivery units with specific recommendations for management to address.

The VA Office of Inspector General conducted a healthcare inspection of the Martinsburg VA Medical Center (facility) to assess leaders’ response to clinical care and behavioral concerns involving two surgeons. The inspection was initiated after staff raised concerns about the two surgeons’ surgical competency, outcomes, and behavior. 

The OIG found that leaders generally followed required procedures when clinical care concerns were raised about both surgeons. Leaders initiated privileging action, conducted quality and clinical reviews, and restored privileges when indicated. One surgeon underwent a focused clinical care review that identified substandard care and resulted in a focused professional practice evaluation. That surgeon later completed the evaluation and moved to ongoing monitoring.

Although leaders carried out required privileging actions, the OIG found delays in the peer review process. Veterans Health Administration policy requires timely designation of peer reviews as confidential quality management activities, but the time between identifying cases and completing the necessary documentation by the facility exceeded required limits. These delays reduced opportunities for timely assessment and improving the quality of patient care.

Leaders complied with requirements for institutional disclosures. They conducted an electronic health record lookback of hundreds of surgeries performed by one surgeon, identified cases involving serious adverse events, and completed institutional disclosures when required.

The OIG also reviewed the two surgeons’ behavior concerns. The chief of surgery addressed disruptive behavior associated with one surgeon but did not assess an allegation involving the second surgeon, contrary to VA policy and facility bylaws. 

The OIG made two recommendations, and the Facility Director concurred with both. The Facility Director reported a process to ensure timely initiation of peer reviews will be implemented and stated that appropriate action was taken after assessing the allegations regarding the second surgeon’s behavior.

Why We Did This Report

We visited the Wyckoff/Eagle Harbor Superfund site on Bainbridge Island, Washington, to observe the EPA’s management of public access to the site, including contaminated beaches. Through our visit, we aimed to determine whether we should conduct additional oversight. 

Summary of Findings

Prior to our visit we identified concerns about public access to the site, but during our visit we observed physical access controls and informational devices that should effectively limit public exposure to contaminants. Therefore, we do not anticipate conducting additional oversight at this time.

Amtrak (the company) has been moving its technology systems and data to the cloud to provide on-demand access to shared services and reduce its dependence on in-house servers and databases. Migrating applications and data to the cloud, however, poses inherent security risks, exposing the company to an increased risk of cyberattacks. Accordingly, our objective was to assess the extent to which the company has implemented effective governance processes and security controls for cloud computing. In July 2025, we issued an interim report on this audit to alert the company to two pressing cybersecurity issues related to its cloud computing. In this report, we provide an update on the company’s progress on these issues and an overall assessment of its cloud computing practices. Given the sensitive nature of the report’s information, however, we are summarizing the results in this public version of the report.

Our assessment of the company’s governance processes and security controls of its cloud applications resulted in nine recommendations. In commenting on a draft of this report, the Executive Vice President for Digital Technology and Innovation agreed with our recommendations and described ongoing and planned actions to address them.