Skip to main content
Report File
Date Issued
Submitting OIG
Department of Veterans Affairs OIG
Agencies Reviewed/Investigated
Department of Veterans Affairs
Components
Office of Information and Technology
Report Number
24-01330-29
Report Description

The OIG received a hotline allegation from a VA medical center employee regarding the improper sharing of sensitive information on VA’s internal network. The complainant reported that an employee could search for fellow employees on the internal network and find documents and emails that contained sensitive personal information. Among these documents were human resources paperwork, such as interview questions and reference checks, performance awards, and personally identifiable information for veterans getting surgery.

The OIG confirmed sensitive personal information was accessible by VA users who had no business need to access it. Furthermore, the OIG noted that the type of sensitive personal information accessible should not have been hosted on the systems it was found on, as the information exceeded the systems’ security authorizations. The OIG determined this was a national issue because the hosting systems are cloud based and the information was observable by any authorized VA employee, regardless of location.

To address the reasons for the improper sharing, the OIG recommended that the assistant secretary for information and technology 
   •    ensure facilities and programs remove unauthorized sensitive personal information from collaborative application sites such as SharePoint; 
   •    direct facilities and programs to standardize SharePoint administration, inventory and consolidate their SharePoint sites; 
   •    implement enforcement mechanisms such as recommended architecture to allow greater control of permissions and content; 
   •    expand roles and responsibilities for privacy officers and information system security officers; 
   •    implement automated tools to detect and correct improper sharing agencywide; and 
   •    mandate standardized training for SharePoint administrators and owners. 

The assistant secretary concurred with all recommendations, and the OIG agreed to close two recommendations after VA provided sufficient evidence of implementation. The four other recommendations remain open.

Report Type
Review
Agency Wide
Yes
Number of Recommendations
6
Questioned Costs
$0
Funds for Better Use
$0
Report updated under NDAA 5274
No

Open Recommendations

This report has 8 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
01 No $0 $0

Take corrective actions to ensure that facilities and programs remove unauthorized sensitive information from collaborative application sites.

04 No $0 $0

Expand roles and responsibilities of facility and program information system security officers and privacy officers to include the routine review of SharePoint and Teams site permissions and content.

05 No $0 $0

Implement automated tools and policies, supported with training, to enable the timely and routine detection and correction of improper sharing and unauthorized content throughout VA.

06 No $0 $0

Mandate standardized training for SharePoint administrators and owners to clarify and reinforce data security requirements.

01 No $0 $0

Take corrective actions to ensure that facilities and programs remove unauthorized sensitive information from collaborative application sites.

04 No $0 $0

Expand roles and responsibilities of facility and program information system security officers and privacy officers to include the routine review of SharePoint and Teams site permissions and content.

05 No $0 $0

Implement automated tools and policies, supported with training, to enable the timely and routine detection and correction of improper sharing and unauthorized content throughout VA.

06 No $0 $0

Mandate standardized training for SharePoint administrators and owners to clarify and reinforce data security requirements.

Department of Veterans Affairs OIG

United States