Web Tool Puts VA Protected Health Information at Risk

Department of Veterans Affairs employees improperly used Yammer.com, a web-based collaboration tool to increase productivity, and introduced data security risks, according to an audit report.


Department of Veterans Affairs employees improperly used Yammer.com, a web-based collaboration tool to increase productivity, and introduced data security risks, according to an audit report.

The VA Office of Inspector General concluded that the “relatively simple process to post to Yammer not only made VA vulnerable from user uploading,” but that any current or former employee remaining active on the site had access to personally identifiable information, protected health information, and agency-sensitive information.

“After signing up, any user could access, disseminate, or process sensitive information, which should be restricted to VA personnel with an official need to know,” states IG. “Further, there was no administrator or system set in place to ensure former VA employees and VA contractor employees no longer had access or that VA users did not, accidentally or on purpose, upload PII, PHI, or VA sensitive data.”

Also See: VA Data Breaches Up 158%, PHI of 738 Vets Affected  

If that wasn’t enough, auditors also found that Yammer users at the VA violated department policy when they downloaded and shared files, videos, and images, while risking malware or viruses “which could spread quickly on a social media site because of a false sense of security that VA approved the use of Yammer.”

Making matters worse, OIG reported numerous user posts that were non-VA related, unprofessional, or had disparaging content that “reflected a broad misuse of time and resources.” Yammer also regularly spammed and excessively emailed VA employees, according to the report.

In particular, OIG took Stephen W. Warren—the VA’s former chief information officer—to task for giving the false impression in official communications that the agency approved the use of the Yammer social network. Warren, a registered VA Yammer user since May 2011, even hosted a question and answer forum on Yammer in June 2013. He served as CIO of the VA up until early last month.

OIG disclosed in its report that as of earlier this month 25,171 VA email addresses were registered with Yammer as active members and another 25,609 VA email addresses were registered as not yet activated.

More for you

Loading data for hdm_tax_topic #reducing-cost...