VA Office of Inspectors General, Review of Alleged Transmission of Sensitive VA Data Over Internet Connections (Mar. 6, 2013) (full-text).
The Office of Inspector General (OIG) evaluated the merits of an allegation that VA was transmitting sensitive data, including Personally Identifiable Information (PII) and internal network routing information, over unencrypted telecommunications carrier networks. In July 2012, the OIG informed the Assistant Secretary for Information and Technology of the possible security violations so VA could assess relative risks and take appropriate corrective actions.
The report substantiated the allegation that VA was transmitting sensitive data, including PII and internal network routing information, over an unencrypted telecommunications carrier network. Office of Information and Technology (OIT) personnel disclosed that VA typically transferred unencrypted sensitive data, such as electronic health records and internal Internet protocol addresses, among certain VA medical centers and Community Based Outpatient Clinics (CBOCs) using an unencrypted telecommunications carrier network.