Two Veterans Affairs Employees’ Lies Placed Health Data for Millions of Veterans at Risk

February 21, 2021

On January 28, 2021, the Office of Inspector General (OIG) for the Department of Veterans Affairs (VA) published a report detailing how two employees “made false representations” and “concealed material information” concerning a contract with an artificial intelligence company. The contract was brought to the OIG’s attention by a pair of high-level VA officials who questioned whether several VA employees had conflicts of interest in connection with the recently signed contract. Later that month, the VA unilaterally terminated the agreement—only twenty days after the contract was signed. If the VA had not acted quickly, the “health data of tens of millions of veterans would have been placed at risk of disclosure.”

In the fall of 2016, the VA was considering a cooperative research and development agreement (CRADA) with Flow Health. Flow Health is a big data company that uses artificial intelligence, gleamed from its large data sets, to guide medical decision-making. According to their CEO, Alex Meshkin, Flow Health’s mission is to “advance healthcare by applying the latest artificial intelligence techniques to improve the detection, diagnosis, treatment and management of diseases.”

This type of contractual arrangement between the VA and a private company is not unique. The VA routinely enters into CRADA agreements with both public and private parties to partner on research and development, as authorized under 15 U.S.C. § 3710a. However, these research and development activities are usually “associated with the provision of medical care to veterans” and overseen by a different office than the one in charge of the Flow Health CRADA. 

In this particular CRADA agreement, the VA wanted to use Flow Health’s “deep learning and artificial intelligence resources to discover evidence to prevent disease onset, improve the precision of diagnoses, and identify treatment plans that together position clinicians to make recommendations tailored specifically for individual veteran patients.” Flow Health benefitted from the agreement, too. They planned on using the veterans’ health data to create “the world’s largest knowledge graph of medicine and genomics from over 30 petabytes of longitudinal clinical data drawn from VA records on 22 million veterans spanning over 20 years.”

“I would be remiss in my responsibilities to VA if I didn’t caution about security issues introduced by the characteristics of this CRADA. We can certainly talk more about these, but in short the integration of large data sets of [Protected Health Information], compounded by computation in a cloud environment, introduce a number of regulatory and statutory security challenges.”

Two VA employees, a program manager in the Office of Information Technology (OIT program manager) and a health system specialist in the Veterans Health Administration (VHA employee), were involved in establishing the Flow Health CRADA. In the agreement, the OIT program manager was designated the “CRADA leader” and the VHA employee was listed at the “principal investigator.” While these two employees did not have authority to approve the deal themselves, they were responsible for conducting research and getting approval from the VA official who did have authority to sign off on the CRADA.

The OIT program manager and the VHA employee knew from the beginning that this deal posed privacy concerns. In June 2016, a VA contract official warned:

“I would be remiss in my responsibilities to VA if I didn’t caution about security issues introduced by the characteristics of this CRADA. We can certainly talk more about these, but in short the integration of large data sets of [Protected Health Information], compounded by computation in a cloud environment, introduce a number of regulatory and statutory security challenges.”

The legal team’s deputy chief counsel expressed concerns, too. After asking another VA attorney who specializes in information law to look over the agreement, the information law attorney replied: “I know VHA has been very concerned with the re-identification of even de-identified data under the Health Insurance Portability and Accountability Act (HIPAA) safe harbor. So, this is definitely one that needs to be routed through VHA Privacy.” However, when the deputy chief counsel passed this recommendation along, the OIT program manager falsely claimed that the privacy team had already looked over the CRADA and was “comfortable with it.”

In September 2016, the approving official inquired about “the cybersecurity implications of the proposed CRADA.” Thus, the OIT program manager was obligated to reach out to the cybersecurity director. Echoing the legal team’s concerns, the cybersecurity director added a privacy team member to the email chain and asked privacy to look over the document. The next day, the OIT program manager claimed to have already worked with the legal team to implement HIPAA and that all of “the necessary requirements [are] in place to move forward.” Notably, the OIT program manager removed the approving official from the email chain.

Once privacy was looped into the conversation, the OIT program manager and the VHA employee received multiple emails from members of the privacy team who were alarmed by the CRADA. Members of the regulatory team and the Million Veteran Program also called and sent emails. Those calls and emails were ignored. Meanwhile, the OIT program manager and the VHA employee used their personal email accounts and cellphones to communicate with Flow Health, violating records management laws.

Ultimately, the approving official signed the CRADA, believing it was an acceptable agreement because of the false information he was provided. During the OIG’s investigation, he explained, “Everybody that I thought was supposed to … said it looked fine, and that’s why I signed the CRADA.” Based on these facts, the OIG found that the OIT program manager and the VHA employee “made false statements… pertaining to the status of the information security and privacy reviews” and “concealed…significant privacy concerns raised by subject matter experts.” Not only did they hide relevant concerns from the approving official—they falsely and intentionally implied “that any identified issues had been addressed and resolved” in an effort to induce the official to approve the CRADA.

Notably, the “OIG did not substantiate that any of the employees named in the complaint had a financial interest in Flow Health that would create a conflict of interest under relevant law.” However, it’s unclear whether any “lawful” financial interests were discovered. The OIG also referred their findings to the U.S. Department of Justice, which declined to prosecute.

Caroline Pope