Subcontractor put VA health records at risk: IG

Management controls by the Veterans Health Administration over the acquisition of medical transcription services, and the privacy and security of patient information are deficient and need improvement, according to VA's inspector general.

The VA Office of Inspector General has been investigating allegations that an offshore medical transcription subcontractor threatened last year to expose 30,000 veterans' electronic health records on the Internet in a payment dispute with another subcontractor over $28,000.

VHA, an agency of VA, needs to develop the ability to perform its medical transcription in-house, because there is no practical way to ensure that contractors safeguard patients' protected health information, said Michael Staley, VA assistant inspector general for auditing, in a report released late this afternoon.

'These allegations suggested that contract transcription services, which are widely used by VHA to perform a vital administrative function, are carried out in a high-risk environment that lacks reliable security and regulatory controls,' Staley said.

The incident occurred because VHA lost control over its patient information once the information traveled outside the VA system firewall, he said. The inability to control confidential information in an era of global outsourcing leaves protected health information unprotected and patients subject to identity theft. The payment dispute has been settled, but VA and the Justice Department are still investigating.

Use of speech recognition technology to transcribe medical reports in-house would resolve the contract and security issues. Medical transcription is the translation of patient health assessments recorded by physicians into text reports for documentation in the patients' medical records.

Some VA medical transcription contractors used offshore subcontractors in India and Pakistan without VA's approval and without adequate controls to ensure veterans' health information was secure under the Health Insurance Portability and Accountability Act.

The U.S. contractor paid the subcontractor the amount in dispute, and the offshore subcontractor certified that all VHA records were destroyed.

'However, VHA has no way of validating whether the subcontractor actually destroyed the information or whether other VHA patient records are in the possession of offshore subcontractors, or individuals and groups hostile to U.S. interests,' Staley said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

  • Marines on patrol (US Marines)

    Using AVs to tell friend from foe

    The Defense Advanced Research Projects Agency is looking for ways autonomous vehicles can make it easier for commanders to detect and track threats among civilians in complex urban environments without escalating tensions.

Stay Connected