VA staff got into Vance, Walz medical files, sparking investigation

At least a dozen employees at the Department of Veterans Affairs improperly accessed the medical records of vice-presidential nominees JD Vance and Tim Walz this summer, VA investigators found, in a violation of federal health privacy laws that is under criminal investigation.

VA officials notified the Vance and Walz campaigns about the breaches after discovering the unauthorized viewing by employees at the agencyâ€s massive health care arm, the Veterans Health Administration, according to people familiar with the investigation who spoke on the condition of anonymity to describe the ongoing investigation.

VA Inspector General Michael Missalâ€s office has shared evidence to federal prosecutors on the actions of several employees in the health system, including a physician and a contractor who spent extended time looking at the candidates†medical files, according to law enforcement officials, raising investigators†concerns about their motives.

Like the others, the physician and contractor used their VA computers to get into the records, mostly from their government offices.

Investigators are trying to determine whether Walz or Vanceâ€s health records have been shared as a result of the breach. The motives of those who looked at the information are under investigation, law enforcement officials said. Some employees told investigators that they were simply curious to see Walz and Vanceâ€s medical records, as both nominees†military service has faced scrutiny during the presidential campaign. They are the first veterans on both vice-presidential tickets since the 1996 campaign, when Democrat Al Gore and Republican Jack Kemp were running.

The VA employees did not gain access to any disability compensation records, which are held more securely than health records, officials said.

“We take the privacy of the Veterans we serve very seriously and have strict policies in place to protect their records,� VA press secretary Terrence Hayes said in an email. “Any attempt to improperly access Veteran records by VA personnel is unacceptable and will not be tolerated.� He referred further questions to the Justice Department.

A Justice Department spokeswoman declined to comment, as did Missalâ€s office, which first investigated the violations.

A Walz campaign spokeswoman declined to comment, citing the ongoing investigation. A Vance spokesman also declined to comment.

Walz, the Minnesota governor running on Vice President Kamala Harris†Democratic ticket, served 24 years in the National Guard before retiring to run for Congress. Vance served four years in the Marine Corps before his election as the Republican senator from Ohio and selection as former president Donald Trumpâ€s running mate.

Vance has said that he received VA medical care for a time after he left the Marine Corps. It is unclear whether Walz used the health system before his election to Congress in 2006, but his medical records from the military are stored in the VA system.

The breach, which took place in July and August, was discovered in August during a security sweep of VAâ€s high-profile health accounts, which are periodically monitored by the agency.

Missalâ€s office found that veterans†health records are relatively easy to log into for VA physicians and other medical personnel in the health system of close to 400,000 employees serving more than 9 million registered veterans, a policy designed to ensure quick access for doctors inside and outside VA in an emergency. That contrasts with the benefits division, which distributes monthly disability compensation payments to more than 5 million veterans, and limits access to these records to a small number of employees, and fewer still for the records of high-profile figures, officials said.

Shortly after the misconduct by his employees was discovered, VA Secretary Denis McDonough sent a missive to the agencyâ€s workforce of more than 450,000 employees to remind them of the rules surrounding veterans†privacy.

“Veteran information should only be accessed when necessary to accomplish officially authorized and assigned duties as an employee, contractor, volunteer, or other personnel,â€� McDonough wrote in an Aug. 30 email. “Viewing a Veteranâ€s records out of curiosity or concern — or for any purpose that is not directly related to officially authorized and assigned duties — is strictly prohibited.â€�

McDonough noted that any violation of the rules could bring disciplinary action, including possible removal, as well a referral to law enforcement agencies for civil penalties and criminal prosecution.

Any employees who are not criminally charged after the incident could still face administrative sanctions, VA officials said.

Prosecutors are weighing, among other factors, how long employees were in the files and their intent when they looked at the candidates†medical information.

Looking at another personâ€s health information without authorization is a violation of the 1996 Health Insurance Portability and Accountability Act (HIPAA). Unauthorized access or disclosure beyond what is permitted are the most common types of HIPAA violations, which carry criminal penalties of up to $50,000 and up to a year of imprisonment.

Security breaches in health records occur frequently as the health-care industry is exposed to increasingly sophisticated cyberattacks. But criminal prosecutions in individual cases are rare.

Razzan Nakhlawi contributed to this report.