VP candidates' EHRs may have been improperly accessed by VA employees

An investigation into the incident, now being handled by the Department of Justice, is reportedly trying to determine whether Gov. Tim Walz or Sen. J.D. Vance’s health records were shared as a result of the insider breaches.
By Andrea Fox
08:12 AM

Photo: -Sasa-Delic-SD/Getty Images

Veterans Health Administration employees allegedly accessed the medical records of vice presidential nominees Ohio Senator J.D. Vance and Minnesota Governor Tim Walz in July and August.

"We reported to law enforcement allegations that [Veterans Affairs] personnel may have improperly accessed veteran records," according to a statement from VA Press Secretary Terrence Hayes sent by email on Monday.

WHY IT MATTERS

At least 12 employees of the VHA, including a physician and a contractor, reviewed the candidates’ medical files, the Washington Post reported on Monday, as the candidates prepared for their October 1 vice presidential debate. 

A spokesperson from the VA declined to verify specifics, deferring questions to the Department of Justice, and shared an agency statement.

The breaches were discovered in August during a security sweep of high-profile health accounts held in the VA's electronic health records, according to the Post's story.

Walz, running alongside Vice President Kamala Harris on the Democratic ticket, served 24 years in the National Guard. Vance, running under former President Donald Trump as the Republican VP nominee, served four years in the Marine Corps, and in Iraq as a combat correspondent. 

CNN said an employee under VA Inspector General Michael Missal contacted the Ohio Republican’s campaign operation to alert it of improper access to the senator's VA health records, according to a campaign source. 

The VA also provided a memorandum to all VA staff sent by VA Secretary Denis McDonough on August 30. The "Privacy Matters" memo reiterated the agency's privacy rules with specific directives on data conduct and what failure to comply could result in.

"Veteran information should only be accessed when necessary to accomplish officially authorized and assigned duties as an employee, contractor, volunteer or other personnel," McDonough said.

"Viewing a Veteran’s records out of curiosity or concern – or for any purpose that is not directly related to officially authorized and assigned duties – is strictly prohibited."

Breaching veterans' trust with respect to their privacy and confidentiality could result in "disciplinary action, including removal, as well as referral to law enforcement for civil penalties and criminal prosecution," he added.

THE LARGER TREND

This is hardly the first time the electronic health records of high-profile figures may have been accessed inappropriately. Past high-profile patient privacy cases have included unauthorized snooping in the EHRs of celebs such as George Clooney and Kim Kardashian.

More broadly, insider threats are a cybersecurity risk for healthcare organizations, presenting risks to protected health information exposure that leave them vulnerable to legal liabilities

In 2022, the Kaiser Foundation Health Plan of the Mid-Atlantic States reported that it discovered unauthorized access to its EHR by a former employee who disclosed the patient information of more than 8,500 individuals for personal gain.

"Healthcare leaders should understand where operational vulnerabilities exist in their organization, from marketing all the way down to critical health records," the Health Sector Cybersecurity Coordination Center said in a threat briefing published earlier that year.

But insider threats go beyond the risks of nefarious data theft. Some employees do not have any criminal intent, but may go looking for patient information out of curiosity or personal concern, Dr. Eric Liederman, now chief executive officer CyberSolutionsMD told Healthcare IT News last year. 

Previously, as Kaiser Permanente's director of medical informatics, Liederman spearheaded the implementation of data system gates that he said helped encourage employees to check themselves before breaching HIPAA and foster a culture of cybersecurity in the organization.

ON THE RECORD

"We take the privacy of the veterans we serve very seriously and have strict policies in place to protect their records," said Hayes about the recent VA incident. "Any attempt to improperly access veteran records by VA personnel is unacceptable and will not be tolerated."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31-November 1 in Washington, D.C. Learn more and register.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.