Privacy and Cybersecurity: VA Has Made Progress Enhancing Security Controls for Protected Health Information
Fast Facts
The Department of Veterans Affairs delivers health care to millions of veterans. In the process, VA uses external service providers to create, maintain, and transmit protected health information. VA took steps to protect the privacy of information that it shared with these service providers. For example, VA regularly enters into agreements with them to ensure they meet the requirements of health information privacy laws.
Additionally, VA’s Million Veteran Program collects veterans' genetic data for research. VA has recently implemented a number of additional security controls to further protect this data.
A person wearing a white coat and a stethoscope sitting at a desk typing on a laptop.
Highlights
What GAO Found
The Veterans Health Administration (VHA) uses the services of external entities, known as business associates, to act on behalf of health care providers or other business associates to create, receive, maintain, or transmit protected health information (PHI). Veterans Affairs (VA) has implemented PHI sharing agreements with these entities to ensure they address requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. GAO reviewed 73 randomly selected sharing agreements and found that 100 percent of them included all 12 HIPAA Privacy Rule requirements for use and disclosure of PHI. Further, VHA documented responsibilities for conducting performance audits to confirm that external entities are protecting veterans’ PHI.
VA took steps to secure the health information in a key system used by its Million Veteran Program (MVP), which is focused on examining how genetics, lifestyle, military experiences, and exposures affect health and wellness in veterans. However, deficiencies existed in certain cybersecurity controls related to asset and risk management; configuration management; identity and access management; and continuous monitoring and logging. As a result of these deficiencies, VA had reduced assurance of the confidentiality and integrity of sensitive health information in the MVP. In September 2025, GAO made 13 recommendations to VA to address these deficiencies.
Since September 2025, VA implemented nine of the 13 recommendations and partially implemented three others (see figure). GAO will continue to monitor VA’s progress in implementing the remaining recommendations.
Figure: VA Progress, as of March 2026, in Addressing 13 GAO Recommendations Made in September 2025
Why GAO Did This Study
Within VA, VHA oversees the delivery of health care services to millions of veterans. The amount of PHI used by VHA and shared with external entities highlights the importance of protecting the privacy of PHI.
Further, VA is responsible for the cybersecurity of veterans’ sensitive health data, such as information in systems used to support its MVP. Since launching in 2011, about 1 million veterans have joined MVP, making it the nation’s largest biorepository of veteran data.
GAO was asked to review VA’s privacy and cybersecurity efforts. In September 2025, GAO issued a sensitive report with limited distribution on the extent to which VHA oversaw the privacy of veterans’ health information shared with external entities, and the extent to which VA protected the confidentiality and integrity of veterans’ health information in its MVP, among other things. In that report, GAO identified security control deficiencies in a system supporting MVP and made 13 recommendations to address them.
This report is a public version of the September 2025 report, with sensitive information removed. For this public report, GAO also determined the extent to which VA had taken corrective actions to address the previously identified security control deficiencies and the 13 related recommendations for improvement. GAO reviewed supporting documents and interviewed agency officials regarding VA’s actions to address these recommendations.
For more information, contact Jennifer R. Franks at FranksJ@gao.gov.