VA patient system wrongly deemed ‘low risk’, watchdog says
The Department of Veterans Affairs’ IT office incorrectly deemed its patient-advocate communication system as “low risk,” putting fewer security controls around sensitive medical records and information, the agency’s Office of the Inspector General said in a report released Tuesday.
When the Patient Advocate Tracking System-Replacement (PATS-R) — which Veterans Health Administration staff use to document communications with veterans — was transferred to the cloud and the Office of Strategic Initiatives in November 2023, the OIT did not go through all necessary risk management steps, the OIG found.
“The low-risk categorization potentially jeopardized the confidentiality, integrity, and availability of veterans’ data,” the report said.
Low risk means the loss of the data’s “confidentiality, integrity, or availability could be expected to have a limited adverse effect,” it said, which is inappropriate for a system that has access to patient medical records.
In a survey of a sample of PATS-R users, 77% said they did not know they could use the system to view veteran medical records, but 89% said losing this access would not affect their job responsibilities, the report found.
As a result of the OIG’s preliminary findings in March 2025, the OIT bumped the risk categorization to moderate. But that “may still be insufficient because access controls were not working as intended and because the program office was not consistently reviewing users to ensure they were authorized to use PATS-R based on their roles,” the OIG said.
After the audit spanning March 2025 to this January, the VA concurred with all the recommendations and the OIG has already closed one asking for a higher risk categorization.
The VA said as of last December, PATS-R is a minor application under Microsoft Azure Services and will inherit its moderate to high controls.
Other recommendations included re-evaluating the business need for medical record access within PATS-R, regularly updating training materials and regularly reviewing authorized user access, as the OIG found the user deactivation process was not automated until May 2025.
The VHA was the subject of another recent OIG report, finding it provided clinical staff with generative artificial intelligence chat tools without the proper oversight or safeguards. VHA head John Bartrum, meanwhile, left the agency Monday after resigning last week.