Subcontractor put VA health records at risk: IG

Management controls by the Veterans Health Administration over the acquisition of medical transcription services, and the privacy and security of patient information are deficient and need improvement, according to VA's inspector general.

The VA Office of Inspector General has been investigating allegations that an offshore medical transcription subcontractor threatened last year to expose 30,000 veterans' electronic health records on the Internet in a payment dispute with another subcontractor over $28,000.

VHA, an agency of VA, needs to develop the ability to perform its medical transcription in-house, because there is no practical way to ensure that contractors safeguard patients' protected health information, said Michael Staley, VA assistant inspector general for auditing, in a report released late this afternoon.

'These allegations suggested that contract transcription services, which are widely used by VHA to perform a vital administrative function, are carried out in a high-risk environment that lacks reliable security and regulatory controls,' Staley said.

The incident occurred because VHA lost control over its patient information once the information traveled outside the VA system firewall, he said. The inability to control confidential information in an era of global outsourcing leaves protected health information unprotected and patients subject to identity theft. The payment dispute has been settled, but VA and the Justice Department are still investigating.

Use of speech recognition technology to transcribe medical reports in-house would resolve the contract and security issues. Medical transcription is the translation of patient health assessments recorded by physicians into text reports for documentation in the patients' medical records.

Some VA medical transcription contractors used offshore subcontractors in India and Pakistan without VA's approval and without adequate controls to ensure veterans' health information was secure under the Health Insurance Portability and Accountability Act.

The U.S. contractor paid the subcontractor the amount in dispute, and the offshore subcontractor certified that all VHA records were destroyed.

'However, VHA has no way of validating whether the subcontractor actually destroyed the information or whether other VHA patient records are in the possession of offshore subcontractors, or individuals and groups hostile to U.S. interests,' Staley said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected