According to a report [PDF file] recently published by the Office of the Inspector General for the U.S. Department of Veterans Affairs, the department has been transmitting sensitive data, including personally identifiable information, over unencrypted networks.
"The OIG launched a probe following May 2012 allegations that certain VA medical centers were transmitting sensitive information over unencrypted networks. ... This practice turned out to be common," writes FCW's Camille Tuutti.
"The report focused on how medical information is shared between VA medical centers in 10 Midwestern states," writes The Washington Examiner's Mark Flatten. "It was a common practice throughout VA to send unencrypted personal information among outpatient clinics and other outside businesses using regional telecommunications carriers, according to the IG. Those carriers also provide Internet service to other customers, making their system and veterans' records vulnerable to hackers."
"The OIG recommends that the VA chief information officer identify the VA networks transmitting sensitive data over the unencrypted carrier networks and implement configuration controls to ensure encryption of such data," writes FierceGovernmentIT's Greg Slabodkin. "Auditors also say the CIO should also require that OIT personnel complete specialized training emphasizing the importance of encrypting sensitive VA data transmitted across the Internet. The CIO concurred with the OIG's recommendations."