Other DoD employees’ health records could have also been compromised, according to the report.
In a report released on Aug. 26, the DoD Inspector General stated that “the DoD did not properly regulate access to health information of well-known DoD people and presumably of any DoD personnel, as evidenced by what we uncovered regarding well-known DoD personnel.”
Meanwhile, some security and privacy experts point out that the discoveries at the DoD are similar to the records access vulnerabilities that private sector healthcare companies suffer with when it comes to VIPs and other patients in the healthcare sector.
Assessed for DoD compliance
From January 2020 to May 2021, according to the IG, a full audit was conducted in compliance with widely accepted government auditing standards. All authorized users of health information must access only data that they are entitled to access, must have a need to know, and can assume no more than the responsibilities and privileges that they were granted, says the IG.
It’s worth noting that the Defense Health Agency, for example, released interim instructions in November 2018 on how to restrict access for persons with “notoriety.”
To establish whether DoD individuals with high-profile access to health information were properly protected, the IG audit set out to find out.
An unidentified healthcare official had access to 38 well-known individuals’ health information, the IG’s investigation states. According to the article, the agency’s examination was confined to persons “who became well-known as the result of a high-profile media issue.” As well, the names of individuals were removed from the report as well.
For example, when social media or television are used to inform a big audience of a particular event, the IG observes, “it is considered a high-media incident.”
As noted in the report, in April 2020, the IG auditors requested electronic health record access logs from the Defense Health Agency for selected DoD employees.
According to the IG audit, a total of 1,410 people accessed the health records of the 38 high-profile persons.
“Nonstatistically selected” 44 DoD workers (or “viewers”) who examined the health information for 18 of the 38 high profile persons were used to gauge access, the IG adds.
When we found out why certain viewers had accessed the health information of a well-known figure, we asked that department or agency to explain why they had done so.
In fact, only roughly seven of the people who saw the show – or 15 percent – were confirmed to have allowed access to the health information of the high-profile individuals.
About 15 percent of the people who watched the video weren’t allowed by their employers to see the health information. 50 percent of viewers – another 22 people – were not confirmed to have had either authorized or unlawful access to the personal health information of DoD high profile individuals.