Possible serious data breech with delivery of C File

[Subvet416]

I sent for my C File as I have on-going issues with VA Healthcare.  It's a large file now as it goes back to 1978.  I arranged for it to be digitized on a CD to be sent to me in Feb.  When months went by and I did not receive it, I called VBA.  It had been sent but somehow never delivered, in other words, lost in the mail.  I again called VBA and expressed my concern that the data on the missing CD could be used for identity theft and frauds of various kinds and that this was a risky delivery method considering the current level of US Mail theft and tampering.  I was finally connected to a "supervisor" at VA who assured me that the lost CD was "encrypted" and that I would have to answer personal questions in order to open it.  When I asked what operating system was needed to do that, she said "any computer".

Yesterday, I received the replacement CD sent recipient signature required as I had requested.  I opened it right up on my Linux system with free and open source software.  It is not encrypted or secure.  Worse yet, as soon as I scrolled down to the first document, it was details of my compensation, including my Navy Federal Credit Union account number and routing number, and my social security number.  The total PDF is over 2000 pages and filled with material that could be used for nefarious and even espionage purposes.

So I called right back to VA, explained it all again to a supervisor who said she was told by her IT people that an Adobe program that vets are directed to download was required to open the CD.  This is absolutely untrue, and even if that program is used, there is no encryption.  When I challenged her, she assured me she would follow up and get back to me.  She has not.

[Dustoff1970]

This is a usual typical response from government bureaucrats about anything unfortunately.  I may have received in person at large VA hospital long time ago in Texas a CD with all my health records but I also was given paper print out copies in thick stack and since then all my requested copies have been paper form.  I think I remember I could not open or view the CD on my PC for some reason. My records are now 6000 pages according to recent QTC examiner.

From 2001 to 2003 as a result of my filing a CUE claim with the CAVC court the VA General Counsel provide me paper copy of my entire C-File with no CD sent to me.  Also included were near complete set of my Army service records that could joke an elephant.

I am going to search again for the CD in my file boxes.

Edited August 3, 2022 by Dustoff 11 (see edit history)

[MilvetHD]

I'm sorry to hear about your poor experience,  glad however that you took the appropriate steps to follow up with the VA. The truth is we should all operate as if our personal information has been compromised it's just a fact of life now. The Government in general is limited in how they can protect our information because so much of the information is stored across multiple, often third party cloud systems. We put contract clauses in place that stipulate reporting requirements within 24 hrs etc etc but my point is this is always after the fact. Obviously monitor your accounts but otherwise I don't much will come of this unfortunate incident. For all we know and based upon the VA track record it may very well have never been sent. 

[Whodat]

1 hour ago, Subvet416 said:

I sent for my C File as I have on-going issues with VA Healthcare.  It's a large file now as it goes back to 1978.  I arranged for it to be digitized on a CD to be sent to me in Feb.  When months went by and I did not receive it, I called VBA.  It had been sent but somehow never delivered, in other words, lost in the mail.  I again called VBA and expressed my concern that the data on the missing CD could be used for identity theft and frauds of various kinds and that this was a risky delivery method considering the current level of US Mail theft and tampering.  I was finally connected to a "supervisor" at VA who assured me that the lost CD was "encrypted" and that I would have to answer personal questions in order to open it.  When I asked what operating system was needed to do that, she said "any computer".

Yesterday, I received the replacement CD sent recipient signature required as I had requested.  I opened it right up on my Linux system with free and open source software.  It is not encrypted or secure.  Worse yet, as soon as I scrolled down to the first document, it was details of my compensation, including my Navy Federal Credit Union account number and routing number, and my social security number.  The total PDF is over 2000 pages and filled with material that could be used for nefarious and even espionage purposes.

So I called right back to VA, explained it all again to a supervisor who said she was told by her IT people that an Adobe program that vets are directed to download was required to open the CD.  This is absolutely untrue, and even if that program is used, there is no encryption.  When I challenged her, she assured me she would follow up and get back to me.  She has not.

Imagine that. The VA received millions of dollars for improvements for IT. Where is the money going to? 

Now I think that since the VA is so careless with PII, they need to provide all vets with identity theft protection for life. 

If we were provided to view our filed own our own, at our risk, then that would be our fault. But since the VA wants total control, they should be held accountable. 

Now since this has happened, I think that this situation has increased your anxiety. This may should be a part of your medical report. I would message my pct. 

[Vync]

@Subvet416In 2021, I went down the exact same red-tape rabbit hole with the VA on this exact concern. 

The VAMC Release of Information office has mailed several CDs to me. Every time they have been encrypted and required my signature.

I requested my c-file on CD in 2020 so I could review all my VA records and prepare to file an FTCA claim involving a heart attack that was later SC'd. The first request was closed, but I never received the disc. I escalated and eventually talked with a lady at the St. Louis VARO who worked in the office that burned and mailed the discs. I was assured the disc was encrypted and sent signature required. However, they could not trace what they mailed. Because many weeks had passed, I requested they send me another copy. The two year deadline to submit the FTCA was fast approaching. I had to send off an incomplete request in early 2021 just before the deadline, but clearly explained that the VA had failed to deliver the c-file disc in a timely manner. Fortunately, about 10 years prior I had a fully unredacted c-file hard copy of thousands of pages sent via regular mail, so I used that to the best of my ability. That too was simply left on my front porch. Of course, COVID-19 lockdowns were in full swing at this time which the VA regularly used to explain delays.

The second disc arrived in my mailbox a small mailer, but someone had already torn off the return receipt card. It was just left in my mailbox. I checked the disc and found:

1. The disc and the PDF file were not encrypted at all. They could have at least encrypted the PDF with a password.

2. The contents of the PDF file were mostly redacted, which went against my request. The redactions frequently covered up content which might have became relevant.

3. My PDF contained over 11,000 pages including medical/mental health records, military orders, bank records, social security information, classified information, and other pieces of personally identifiable information (PII) were present.

Please keep in mind that I am employed as a programmer who works with scanned documents archiving and storage systems, so I know my stuff about encryption and secure data delivery options. I was quite upset with what had happened, so I escalated with the VBA. Eventually, a supervisor called me from that same office. If I would have made these same mistakes, I would be out of a job. I learned: 

1. C-file discs were sent first-class mail with signature required.

2. The PDF files were not encrypted in any manner. However, they were going to have meetings to discuss changing this in the future.

3. Because the VA regularly sends hard copies of other sensitive information via first-class mail, encryption of the PDF files was similarly not required.

4. Plans to allow veterans a solution to access their records online was "currently in the works". However, no ETA and it could be years.

5. They did not have a copy of the signature card from the initial c-file that was mailed.

6. The PDF bookmark text included a GUID for many entries. A GUID is a global unique identifier, or a unique ID, that is used in document storage systems. It made the bookmark text frequently difficult to read.

7. The guy said that he just runs a program the VA gave him. It creates the disc and they simply mail it out.

No "oops", no "we're sorry", no "we screwed up", no "we're going to get to the bottom of this", etc...

 

[Vync]

1 hour ago, Whodat said:

Imagine that. The VA received millions of dollars for improvements for IT. Where is the money going to? 

Now I think that since the VA is so careless with PII, they need to provide all vets with identity theft protection for life. 

If we were provided to view our filed own our own, at our risk, then that would be our fault. But since the VA wants total control, they should be held accountable. 

Now since this has happened, I think that this situation has increased your anxiety. This may should be a part of your medical report. I would message my pct. 

Bingo.

They should give identify theft protection for life. And not just notification services. It should also cover the costs to repair exposed identities, repair credit fraud, etc...

Yeah, we have the so-called Blue Button option to view some, but not all, medical records. However, they add a 36 hour delay for no reason at all. On top of that, you can't even get your C&P exam for 30 days and they don't make it easy to get either. By the time you get a copy and realize the examiner screwed up, the claim has already been closed out for weeks and you have to take one of the review or appeal routes.

Lawyers, VSOs, and VA accredited/certified agents with POAs can access the VBMS system and obtain information. I don't know if they have direct access or the ability to bring down c-file contents. Honestly, many of them do not have the time to do that. If not for my heart attack and the residually exhausting brain fog, I would pursue VA accreditation/certification just so I could get access to my own records...

[Whodat]

So who is in control? The Vets? The one's who volunteered their lives to protect their country or the politicians to line their pockets.  

[Carl the Engineer]

I just got my cd in the mail a month ago.  No encription.

Carl

 

[Whodat]

4 hours ago, Subvet416 said:

I sent for my C File as I have on-going issues with VA Healthcare.  It's a large file now as it goes back to 1978.  I arranged for it to be digitized on a CD to be sent to me in Feb.  When months went by and I did not receive it, I called VBA.  It had been sent but somehow never delivered, in other words, lost in the mail.  I again called VBA and expressed my concern that the data on the missing CD could be used for identity theft and frauds of various kinds and that this was a risky delivery method considering the current level of US Mail theft and tampering.  I was finally connected to a "supervisor" at VA who assured me that the lost CD was "encrypted" and that I would have to answer personal questions in order to open it.  When I asked what operating system was needed to do that, she said "any computer".

Yesterday, I received the replacement CD sent recipient signature required as I had requested.  I opened it right up on my Linux system with free and open source software.  It is not encrypted or secure.  Worse yet, as soon as I scrolled down to the first document, it was details of my compensation, including my Navy Federal Credit Union account number and routing number, and my social security number.  The total PDF is over 2000 pages and filled with material that could be used for nefarious and even espionage purposes.

So I called right back to VA, explained it all again to a supervisor who said she was told by her IT people that an Adobe program that vets are directed to download was required to open the CD.  This is absolutely untrue, and even if that program is used, there is no encryption.  When I challenged her, she assured me she would follow up and get back to me.  She has not.

Hopefully you gotten all names and supposedely  all information is recorded for training purpose. What is the training for? To lie to the vet?

[Subvet416]

Many thanks to all of you who responded and helped me gain perspective on the situation.  It looks like it far more systemic than just an IT screw-up.  Another surprise was the inclusion of my service records and what remains of my entire VA medical records.  Years of these records have been lost, deep-sixed, spoliated, etc.  That's why I wanted the C File.

The PDF they sent me is over 2,000 pages.  I have not begun to explore the contents.  I only wanted several documents from the C-File.  I thought perhaps NCIS might be interested in how the information they felt as recently as eighteen months ago was extremely sensitive, VA now sends out to be lost in the US Mail. I was wrong about that, too.

Good Luck and Good Hunting to us all.  We need it.

[broncovet]

I have had similar experiences.  Yes, a Knoppix (Linux) CD will give full access to a hard drive.  You can run the operating system Linux live on the CDROM drive, without installing Linux on the hard drive. 

Windows wont run "live" on a cd drive, you have to install it on the hard drive.  But, Linux will.  You can try the operating system to see if you like it.  It does run a bit slower from the CDROM drive, than from a hard drive.  But its perfect for recovering data on your hard drive, when you cant boot from the hard drive.  (You simply boot it up on the Linux CDRom, then you can copy any of your files onto a jump drive that you need to recover). 

In the VA's defense, however:  Your paper file was not encrypted.  Anyone who got their hands on your paper file could read it.  So, copying your paper file on CDRom, did not reduce your internet security, because it was unencrypted on paper, now, its unencrypted on CDROM.  For your security, you need to take "physical" control over the CDrom, or the paper file.  Just dont let unauthorized persons have it. 

All this said, VA has had "breaches" of internet security, when one or more employees took a laptop home, with many Vets data, and got it lost or stolen.  A similar thing could happen with many paper files, or CDroms of Veterans data. 

Personally, Im not gonna waste any time worrying about who reads my file, "when VA has control over it".  This is the job of the VA's internet security department. 

I made a deal with VA. (lol)   Their internet security department does not worry about my grandkids, and I dont worry about their internet security.   (I borrowed this from Pizza hut.  They said they made a deal with the bank.  The bank does not make pizza, and Pizza hut  doesnt cash checks.) Frankly, my life is too short to worry about others who can not or will not do their job.  

However, "when I have control" of my cfile, I guard the information.  I keep the cd locked up, and do not copy it to my hard drive for hackers.  So, for the few hours I am actually reading my own cfile off the cdrom, I disconnect my computer from the internet.  Problem solved.  

Only the most skilled of hackers can get my "cfile residue" from the hard drive after I view it and remove the cdrom.   If that concerns you, have 2 computers, one for online, and another never connected to internet for viewing your own file.  Im not going to that extreme at this point, but, it could come to that.  

Its actually an internet security risk, and most places wont let you put a cdrom in the drive, or a jump drive on the company computer system.  They dont know whats on that jump drive or cdrom, so they are not taking chances.  Its a pain, but having a seperate computer, never online, for your personal viewing of cdroms, or jump drive data is possible, you need to decide if its worth it for you.