VA watchdog found improper sharing of sensitive information on cloud apps 

The Department of Veterans Affairs has been improperly sharing sensitive information on collaborative, cloud-based applications, according to the agency’s Office of Inspector General. 

In a Tuesday report, the VA OIG found that employees could access documents and emails from other staffers on internal networks, including communications that contained personally identifiable information for veterans getting surgery, reference checks, human resources paperwork and more. Two systems — the VA’s Office of Information and Technology’s Microsoft Office 365 Multi-Tenant system and the Veterans Health Administration’s Integrated Veteran Care Provider Profile Management system — had improperly shared the sensitive, personal information, the report found.

The improper sharing of sensitive information was made possible due to inadequate controls over permissions. While the Office of Information and Technology had formerly published instructions on the secure administration of apps like Teams and SharePoint, OIG said that “it lacks enforcement mechanisms to ensure standardized processes are followed across the organization.” OIT also has not expanded the roles and responsibilities of information security and privacy staff to include the “routine review of Teams and SharePoint site permissions and content.” 

If the VA doesn’t implement controls to “adequately protect” sensitive information going forward, it could cause harm to individuals, and the agency may face legal liability, loss of public trust and more, OIG warned. 

“While OIT has responded to the evolving risks and is attempting to mitigate them, VA will need to enhance control coverage to apply security in depth, agencywide,” the report said. “This is because other VA offices may implement these collaborative applications outside the direct control of OIT.

The watchdog did note that OIT has made efforts to mitigate the risk of improper sharing on the collaborative systems. 

As of June 2024, OIT published instructions for users to add labels indicating sensitivity to files in Office 365. In April 2024, OIT reportedly published instructions to administrators on how to remove a SharePoint user group “that would grant access to all VA users.”

Additionally, in March 2024, OIT “informed its staff of the Data Loss Prevention and Data Discovery Analytics and Labeling production pilot for labeling. This represented an initial effort to automate the identification of VA sensitive data.”

The watchdog recommended that the assistant secretary for IT and the chief information officer ensure that facilities and programs remove unauthorized sensitive information from collaborative application sites. It is also recommended that the assistant secretary direct the standardization of SharePoint’s administration, as well as take additional action to implement automated tools to detect and correct improper sharing agencywide, among other actions.