The original complaint, from a VA hotline, alleged that unauthorized contractor access also occurred at VA medical centers in Kansas City, Mo., Huntington, W. Va., and Wilmington, Del. A VA contractor since 1992, but not named in the report, the vendor accessed a system that fills prescriptions, logs appointments, and manages confidential electronic health records.
"We substantiated the allegation of unauthorized access to VA systems and networks," VA auditors wrote. "We found that certain corporate officers improperly used other employees' Virtual Private Network user accounts to gain unauthorized access to VA systems and networks."
IG auditors found sensitive patient data stored on unencrypted hard drives at the contractor's office; failure to use firewall protections; inadequate anti-virus and malware protection; and unauthorized sharing of user accounts.
The VA's Office of Information and Technology concurred with the 19-page report, which included several remedial recommendations.