VA admits to improperly disclosing COVID-19 vaccine data for 500,000 staff

The agency removed a spreadsheet containing personal details including vaccination status following an internal investigation.
Petty Officer 3rd Class Amber Degouveia, a health series technician assigned to Coast Guard Base Alameda Medical in California, administers the intranasal flu vaccine to a Coast Guard member in October 2015. (Image credit: U.S. Coast Guard / Petty Officer 2nd Class Barry Bena)

The U.S. Department of Veterans Affairs has admitted that it failed to adequately protect COVID-19 vaccination status data for about 500,000 of its employees.

Following an internal investigation by the VA’s Data Breach Response Service, the agency removed a spreadsheet containing personal details including vaccination status, according to a notice sent to the agency’s bargaining unit employees that was obtained by FedScoop. Federal Times first reported about the data breach.

Approximately 500,000 employees’ vaccination records were last year disclosed without permission and were sent to various members of Veterans Health Administration (VHA) senior leadership, according to the American Federation of Government Employee’s (AFGE) union, which filed a grievance.

Under the Health Insurance Portability and Accountability Act, regulated entities are prohibited from disclosing an individual’s protected health information, which includes COVID-19 vaccination status.


“Upon internal review, the VA agrees that the information contained in these documents should not have been placed on SharePoint without appropriate access permissions and this incident resulted in the inadvertent or unauthorized transmissions or disclosure of sensitive personal information,” said Jessica Bonjorni, chief of human capital management for the VA said in a notice to AFGE bargaining unit members on Nov. 9 and Nov. 10.

“Offering the highest levels of privacy protection to VA employees remains a top priority for both VA and AFGE. VA has investigated the matter, and the at-issue spreadsheet has been removed,” she added.

The spreadsheet that was incorrectly disclosed in the data breach in October 2021 included employee names and indicated whether or not they had been vaccinated, according to the AFGE National VA Council.

A VA spokesperson said: “VA remains committed to providing the highest levels of privacy protection to its employees. We investigated this matter and concluded on November 16, 2021, that the breach demonstrated a low risk of compromise.”

The emailed notice sent by Bonjorni said that the agency will complete any additional required investigations.


Editor’s note, 12/1/22: This story was updated to include comment from the VA.

Nihal Krishan

Written by Nihal Krishan

Nihal Krishan is a technology reporter for FedScoop. He came to the publication from The Washington Examiner where he was a Big Tech Reporter, and previously covered the tech industry at Mother Jones and Global Competition Review. In addition to tech policy, he has also covered national politics with a focus on the economy and campaign finance. His work has been published in the Boston Globe, USA TODAY, HuffPost, and the Arizona Republic, and he has appeared on NPR, SiriusXM, and PBS Arizona. Krishan is a graduate of Arizona State University’s Walter Cronkite School for Journalism. He grew up in South Korea, Saudi Arabia, India, and Singapore before moving to the United States to study politics and journalism. You can reach him at

Latest Podcasts