VA apps pose privacy risk to veterans’ healthcare data

By | March 29, 2020

The increasing use of apps provided by the Department of Veterans Affairs is meant to improve access to patient health and benefits information in convenient digital platforms. However, members of Congress are worried that this electronic data is vulnerable.

“When a veteran downloads an app from the VA’s app store, how much personal information does the VA receive?” asked Rep. Susie Lee (D-Nev.), chair of the House Veterans’ Affairs Subcommittee on Technology Modernization, during a hearing on Wednesday. “What is the process used to determine what is minimally required?”

Lee noted that her subcommittee studied some of the VA’s apps, many of which “require significant, elevated permissions and access to users’ data or devices.” As a result, she contends that these apps as currently configured “may be excessive and unnecessary invasions of a veteran’s privacy” and may put them at risk for identity theft.

“Why do these apps need access to location, a user’s photos, calendars, contacts and other information?” asked Lee. “Are these permissions necessary for its function?”

Rep. Jim Banks (R-Ind.), ranking member of the subcommittee, observed that personally identifiable information and protected health information are increasingly stored in the cloud and provided to external apps.

“Business Associate Agreements stipulate how patient data will be used but patients rarely have any idea what those agreements say,” said Banks. “And, notices of privacy practices are often vague.”

In that regard, Lee pointed out that the privacy policy for one VA app is “988 words of legalese with clauses about incidental or consequential damages.”

However, Paul Cunningham, the VA’s Chief Information Security Officer and Chief Privacy Officer, testified that veterans voluntarily share their personal information with the agency—including personally identifiable information and protected health information.

“When Veterans do provide information, VA will not disclose that information to outside parties except at the request of the veteran or as authorized by law,” according to Cunningham’s testimony. “Additionally, VA.gov will never sell or rent personal information to outside parties. Violation of any part of this policy within the department would result in corrective actions including possible dismissal and could result in a criminal charge against the offending employee or contractor.”

While the VA must often share data with third party partners, Cunningham said the VA “stipulates the terms for acceptable use” in its policies and Business Associate Agreements and that “partners must meet these requirements and protect our data as closely as we do.”

The Latest