Federal Reports

The Veterans Affairs Office of Inspector General conducted an administrative investigation into alleged ethics violations by Tracy Skala, former deputy director of the Orlando VA Medical Center. Ms. Skala’s son, who had a different last name, was a former VA employee who subsequently worked for a software development company with a mobile wayfinding application that could help veterans navigate VA facilities on their smartphones. Ms. Skala did not disclose their relationship when her son attended an April 6, 2023, meeting of the Veterans Integrated Service Network (VISN) 8 Executive Leadership Board. VISN 8 serves more than 1.4 million veterans. During the presentation and at many other times, Ms. Skala encouraged VISN leaders and a subordinate in her medical facility to approve the application for use, knowing her son could receive bonus pay as a percentage of a new VA contract. A VISN 8 executive who learned of their relationship promptly alerted the OIG.

The investigation found that Ms. Skala violated ethics rules by using her position to promote procurement of software from her son’s employer. Her participation in matters involving her son’s employer was an apparent conflict of interest. The OIG also noted that Ms. Skala, who retired from VA in April 2024, informed VA that she received a critical skills incentive, but VA had not initiated the process to recover any debt owed from her retiring before the requisite term of service. 

Due to Ms. Skala’s retirement, the OIG did not make recommendations regarding her conduct. VA concurred, or concurred in principle, with the OIG’s three recommendations relating to identifying potential conflicts before vendor presentations and improving critical skill incentive recoupment processes. VA provided acceptable action plans to implement the OIG recommendations and VA’s progress will be monitored until sufficient documentation has been received to close them as implemented.

The VA Office of Inspector General’s information security inspection program assesses whether VA facilities are meeting federal security requirements related to three control areas the OIG determined to be at highest risk: configuration management controls, security management controls, and access controls. For this inspection, the OIG selected the Battle Creek Healthcare System in Michigan. The OIG found deficiencies in all three areas inspected.

Configuration management controls, which identify and manage security features for all hardware and software components of an information system, were deficient in vulnerability remediation, system baseline configurations, and unauthorized software remediation.

Security management controls had one deficiency. The OIG found biomedical staff relied on incomplete security remediation reports to manage vulnerabilities on medical devices. The inspection team identified 25 vulnerabilities on seven biomedical devices that were not tracked in security remediation reports used by biomedical staff.

Access controls had three deficiencies. The OIG found the Battle Creek facility was deficient in physical access, environmental controls, and network segmentation. As a result, the facility risks unauthorized access, disruption, and destruction of critical information technology resources.

The OIG made three recommendations to the assistant secretary for information and technology and chief information officer to improve vulnerability management processes, implement a more effective baseline configuration process, and improve the remediations reporting process for the Continuous Readiness in Information Security Program. The OIG also made three recommendations to the healthcare system’s director, in conjunction with the assistant secretary for information and technology and chief information officer, to implement improved physical access controls, ensure network segmentation controls are applied as appropriate, and implement improved, consistent environmental controls for network communications closets.

Why We Did This Report

The U.S. Environmental Protection Agency Office of Inspector General conducted this audit to determine whether the EPA has established sufficient controls to prevent unauthorized access to the Central Data Exchange system.

Summary of Findings

The EPA needs to strengthen management and access security controls for the Central Data Exchange, or CDX, system. The security of the CDX system is integral to the EPA accepting electronic environmental data for the Agency’s air, water, hazardous waste, and toxics release inventory programs. Without adequate security controls, the CDX is vulnerable to threat actors exploiting weak security controls to potentially gain unauthorized access, create fraudulent accounts, and enter unreliable data into the system.

Investigative Summary 22-0028

This is an annual report to Congress regarding the U.S. Consumer Product Safety Commission’s (CPSC) efforts to prevent and protect trafficking victims in 2024 in accordance with the Trafficking Victims Prevention and Protection Reauthorization Act of 2022.

Our audit found that loan costs claimed by the RLF operators were not allowable, allocable, and reasonable. Specifically, we found that the four operators awarded 11 of the 19 loans (58 percent), totaling $4,020,050, to ineligible borrowers that did not meet the eligibility criteria in the operators’ respective RLF operational plan, and borrowers did not use the RLF funds for the purpose intended by the CARES Act. As a result, we are questioning $4,020,050 in loan funds. In addition, we found RLF operators with 20 percent or more loans that were delinquent, in default, or written off, and EDA did not identify this as an area of concern.