OIG: VA Staff Hid Privacy, Security Risks of AI Health Data Project

Two VA employees hid and falsely represented the privacy and security risks of an AI project with a health vendor in 2016. VA pulled the contract before health data was shared.

Two employees of the Department of Veterans Affairs concealed and made false representations about the privacy and security risks of a 2016 AI health data project between the agency and Flow Health, according to a recent VA Office of Inspector General report.

In 2016, VA and the Flow Health were set to enter into a cooperative research and development agreement (CRADA), an agreement between a federal lab and a nonfederal party. Typically, the Veterans Health Administration (VHA) will enter into CRADAs with private entities and universities.

The objective of the CRADA in question was aimed at improving the health and wellness of veterans using VA health data and Flow Health’s AI and deep learning tech to discover the onset of disease, improve the accuracy of diagnoses, and other related concerns.

The False Statements and Concealment of Material Information by VA IT Staff report details an administrative investigation into a joint referral received in December 2016 from the then under secretary of health and then CIO and assistant secretary for IT.

The referral requested an investigation into potential conflicts of interests of certain VA employees in connection to the establishment of a CRADA with Flow Health. The CRADA proposed having the VA share the health data of all veterans who had ever received healthcare at the agency with the private company, including genomic data.

Under the contract, the data sharing arrangement would include veterans’ current health data for five years.

Senior VHA and OIT officials became aware of the contract in November 2016 due to media coverage and unilaterally pulled the contract prior to the release of any health information.

“The CRADA identified an OIT program manager as the ‘CRADA Leader and a health system specialist in the VHA central office as the ‘VA Principal Investigator,” according to the report. “The OIG did not substantiate that any of the employees named in the complaint had a financial interest in Flow Health that would create a conflict of interest under relevant law.”

“The OIG did substantiate, however, that the OIT program manager and the VHA employee made false representations to and concealed material information from the VA approving official for the CRADA.”

Ahead of the contract, three VA privacy leaders informed the OIT program manager and the VHA employee behind the CRADA of serious privacy concerns that needed to be addressed before the contract’s approval.

Those concerns included security issues introduced by some characteristics of the CRADA, such as large sets of unprotected patient data compounded by computation in a cloud environment. 

Further, VA Office of General Counsel Health Care Law Group raised its own privacy concerns ahead of the CRADA, which included the reidentification of deidentified data under HIPAA. At the time, officials stressed the need for the contract to go through the VHA privacy office.

The employees in question were verbally told these concerns and later indicated that they had already coordinated with VHA privacy officials.

However, not only did the employees in question fail to resolve those privacy issues ahead of the approval, the privacy officials had never received, reviewed, or approved the CRADA.

Over the course of a month, OIG found the employees in question made a number of false statements regarding the status of the privacy and security reviews of the CRADA and its business associate agreement.

The employees also concealed the significant privacy concerns raised by subject matter experts to the approving official, imploying that any identified issues had been resolved.

The approving official was never made aware of the previous privacy and security concerns raised ahead of the contract.

The OIG report further concluded that the approving VA official relied on the information received from the employees in question, which led to an approval of the CRADA under those false pretenses.

“As a result of the OIT program manager’s and the VHA employee’s actions, the health data of tens of millions of veterans would have been placed at risk of disclosure had the contract not been cancelled,” according to the OIG report.

The OIG referred the matter to the Department of Justice, which declined to prosecute the employees in question.

In light of the findings, OIG recommended to the VA to determine whether administrative actions should be taken in regards to the employees in question over their conduct. The VA concurred with all recommendations.

Next Steps

Dig Deeper on HIPAA compliance and regulation