WASHINGTON — The U.S. Department of Veterans Affairs said sensitive personal information related to employees’ vaccination status was improperly disclosed last fall.
Following an investigation by the department’s data breach response service, the agency removed a spreadsheet containing personnel details, according to a notice sent to employees of the agency’s contracting unit obtained by the Federal Times .
“After internal review, the VA agrees that the information in these documents should not have been placed on SharePoint without the appropriate access permissions, and this incident resulted in the inadvertent or unauthorized transmission or disclosure of sensitive personal information” , he has declared.
A VA spokesperson did not immediately respond to emailed requests for comment. The notice said the agency would complete any further investigations required.
The data included the names of employees and whether or not they were vaccinated or exempt, according to the National VA Council of the American Federation of Government Employees, which filed a complaint. About 500,000 employee vaccination status records were disclosed without authorization and were sent to various senior leadership members of the Veterans Health Administration, the union said.
The information did not show the basis on which an exception to the agency’s vaccine mandate was granted, whether on medical or religious grounds, said Sarah Hasan, an attorney for the NVAC.
“We knew they were collecting this information, but we didn’t realize they were actually extracting and aggregating it for senior staff to inform who had been vaccinated [and] that hasn’t been vaccinated, ”he told the Federal Times in an interview.
The union said many recipients did not need to know this information and employees did not give written consent in advance, constituting a violation of privacy law.
Hasan said the links to the files were active for about two hours before the VA removed them, but anyone who received the email or had a link to that SharePoint site was able to view the data, both at home than from a work computer.
“It’s not that they can’t necessarily collect this information or that they can’t disclose it to certain people,” Hasan said. “But it was just the extent of the disclosure, it really exceeded the authority of him.”
Molly Weisner is a reporter for the Federal Times, where she covers jobs, policies and contracts related to the government workforce. She made previous stops at USA Today and McClatchy as a digital producer, and worked at The New York Times as a copy editor. Molly graduated from the University of North Carolina at Chapel Hill with a degree in journalism.