At least a dozen employees at the Department of Veterans Affairs improperly accessed the medical records of vice-presidential nominees JD Vance and Tim Walz this summer, VA investigators found, in a violation of federal health privacy laws that is under criminal investigation.
VA officials notified the Vance and Walz campaigns about the breachesafter discovering the unauthorized viewing by employees at the agency’s massive health care arm, the Veterans Health Administration, according to people familiar with the investigation who spoke on the condition of anonymity to describe the ongoing investigation.
VA Inspector General Michael Missal’s office has sharedevidence to federal prosecutors on the actions of several employees in the health system, includinga physician and a contractor who spent extended time looking at the candidates’ medical files, according to law enforcement officials, raising investigators’ concerns about their motives.
Like the others, the physician and contractor used their VA computers to get into the records, mostlyfrom theirgovernment offices.
Investigators are trying to determine whether Walz or Vance’s health records have been shared as a result of the breach. The motives of those who looked at the information are under investigation, law enforcement officials said. Some employees told investigators that they were simply curious to see Walz and Vance’s medicalrecords, as both nominees’ military service has faced scrutiny during the presidential campaign. They are the first veterans on both vice-presidential tickets since the 1996 campaign, when Democrat Al Gore and Republican Jack Kemp were running.
The VA employees did not gain access to any disability compensation records, which are held more securely than health records, officials said.
“We take the privacy of the Veterans we serve veryseriously and have strict policies in place to protect their records,” VA press secretary Terrence Hayes said in an email. “Any attempt to improperly access Veteran records by VA personnel is unacceptable and will not be tolerated.” He referred further questions to the Justice Department.
A Justice Department spokeswoman declined to comment, as did Missal’s office, which first investigated the violations.
A Walz campaign spokeswoman declined to comment, citing the ongoing investigation. A Vance spokesman also declined to comment.
Walz, the Minnesota governor runningon Vice President Kamala Harris’ Democratic ticket,served 24 years in the National Guard before retiring to run for Congress.Vance served four years in the Marine Corps before his election as the Republican senator from Ohio and selectionas former presidentDonald Trump’s running mate.
Vance has said that he received VA medical care for a time after he left the Marine Corps. It is unclear whether Walz used the health system before his election to Congress in 2006, but his medical records from the military arestored in the VA system.
The breach, which took place in July and August,was discovered in August during a security sweep of VA’s high-profile health accounts, which are periodically monitored by the agency.
Missal’s office found that veterans’ health records are relatively easy to log into for VA physicians and other medicalpersonnel in the health system of close to 400,000employees serving more than 9 million registered veterans, a policy designed to ensure quick access for doctors inside and outside VA inan emergency. That contrasts with the benefits division, which distributes monthly disability compensation payments to more than 5 million veterans, andlimits access to these records to a small number of employees, and fewer still for the records of high-profile figures,officials said.
Shortly after the misconduct by his employees was discovered, VA Secretary Denis McDonough sent a missive to the agency’s workforce of more than 450,000employees to remind them of the rules surrounding veterans’ privacy.
“Veteran information should only be accessed when necessary to accomplish officially authorized and assigned duties as an employee, contractor, volunteer, or other personnel,” McDonough wrote in an Aug. 30 email. “Viewing a Veteran’s records out of curiosity or concern — or for any purpose that is notdirectly related to officially authorized and assigned duties — is strictly prohibited.”
McDonough noted that any violation of the rules could bring disciplinary action, including possible removal, as well a referral to law enforcement agencies for civil penalties and criminal prosecution.
Any employees who are not criminally charged after the incident could stillface administrative sanctions, VA officials said.
Prosecutors are weighing, among other factors, how long employees were in the files and their intent when they looked at the candidates’ medical information.
Looking at another person’s health information without authorization is a violation of the 1996 Health Insurance Portability and Accountability Act (HIPAA). Unauthorized access or disclosure beyond what is permitted are the most common types of HIPAA violations, which carry criminal penalties of up to $50,000 and up to a year of imprisonment.
Security breaches in health records occur frequently as the health-careindustry is exposed to increasingly sophisticated cyberattacks. But criminal prosecutions in individual cases are rare.
Razzan Nakhlawi contributed to this report.