An inspector general's report revealed that Palo Alto's Department of Veterans Affairs facility provided patient information to a private IT company whose employees had not been cleared through background checks.
The Sept. 28 report was instituted after a complaint by House Committee on Veterans' Affairs alleged that the VA Palo Alto Health Care System's informatics chief had entered into an illegal agreement with a healthcare tech company, Kyron, for sharing patient information.
The OIG found no evidence of an illegal agreement and that a pilot program that the VA entered meant to provide statistical analysis of treatment information was properly administered.
Related:Read the report
VA removed identifiable information beyond what was required for the statistical analysis before passing the information over. However, the OIG also concluded that VA did not ensure that Kyron staff handling de-identified patient information had received the background checks or the proper security and privacy training.
The report also found Kryon's software, which extracts de-identified information from VA servers, was not yet approved by VA information security officers before it was installed.
According to the report, the informatics chief had reached out to ISOs for approval before allowing Kyron to install its software, but never received a response.
The OIG made four recommendations, including conducting risk assessment on Kryon's software and conducting the appropriate software approvals and training.
The VA concurred with the recommendations and promised to address them by October.
