The Social Security numbers of Wisconsin veterans are being sent via email without encryption despite numerous federal laws and U.S. Department of Veterans Affairs regulations requiring personally identifiable information be password-protected.
It partly explains how a random Wisconsin veteran received an unsolicited email on April 1 with the Social Security numbers and disability claim information of hundreds of Wisconsin veterans. Since the Vietnam War, veterans’ file numbers or disability claim numbers have been their Social Security numbers.
“I got up, was working at the computer and had an email from the Department of Veterans Affairs in Wisconsin. Not knowing what it was, I opened up the attachment and I panicked,” the veteran said. “It was nine-digit numbers. There were no hyphens. It wasn’t like 111-11-111. It was nine numbers straight.”
A Wisconsin Department of Veterans Affairs spokesperson said the software program, Ironport, which is used by the federal VA, intentionally does not flag nine-digit numbers without dashes because of the concern that there would be too “many false positives.” She said nine-digit number sequences where dashes are used would require the person sending the email to encrypt it before it could be sent or to remove the nine-digit number sequence with the dashes.
The veteran who received the email immediately notified the Wisconsin Department of Veterans Affairs of its error. He forwarded it, with the attachment, to his advocate, a retired colonel who used to work for the WDVA. Together, they notified numerous elected officials and the federal VA about what had happened.
“There is absolutely no reason in the world for me to have this information,” he said. “We were told it was an error. We should not have received that.”
The veteran and his advocate sent an email to the WDVA a week after the privacy breach stating they would assure the department that they “(had) not forwarded this very confidential information.” Kim Michalowski, who was in charge of the WDVA office that sent the email, thanked them in a follow-up email for their “assurances.”
However, any good will between the parties soured when the WDVA, and subsequently the Wisconsin Attorney General’s Office, demanded the veteran and his advocate destroy all records associated with the privacy breach. The veteran responded in an email obtained by News 3 that multiple groups were investigating the matter and he wanted to know if he was being asked to “destroy evidence.”
His answer came less than a month later when he and his advocate were sued in Dane County Circuit Court, in an effort to compel them to destroy all evidence of the email and the attachment. The veteran and his advocate sought legal counsel, paid to completely scrub their computers and were forced to sign an affidavit that they had no record any more of the email and its attachment before the lawsuit was subsequently dismissed.
“We were told we had to clean them off the computer, off all servers, off the cloud. My God, how do I do that? I can barely turn on a computer,” said the veteran, who is remaining unidentified because he is fearful of further retaliation. “I believe the process needs to be rectified. We have very dedicated veterans out there who need to have their privacy, their security, respected, and when this kind of information is released unsolicited, that’s a travesty.”
Nine days after the email was sent, WDVA Secretary John Scocos sent a note to the 637 veterans whose names and file numbers were in the attachment offering credit monitoring for a year and said the incident was a “one-time disclosure to one unauthorized individual, who is a Veteran.” However, less than a week after that, the department’s own investigator determined that the data report inappropriately sent on April 1 had also been sent to “unaccredited recipients.”
“The email filter, on the U.S. Department of Veterans Affairs computer network, which typically alerts the sender to this type of disclosure did not block the sensitive data in this instance,” WDVA Communications Director Carla Vigue wrote in a statement emailed to News 3. “When we contacted the USDVA Network Security Operations Center regarding this occurrence, they were already aware of the problem of certain emails making it past the filter.”
News 3 has learned the April 1 incident is not an isolated one. On at least three other occasions (June 1, 2014, Oct. 1, 2014 and Dec. 1, 2014), the same data report was also sent unredacted to “unaccredited recipients,” or as defined by the VA, people who are not trained to view such personally identifiable information. In fact, the administrator doing the internal investigation is himself “unaccredited,” according to USDVA documents, and thus, not supposed to look at personally identifiable information of Wisconsin veterans such as the material erroneously sent.
Combined, the four data reports contained the disability claim numbers of nearly 2,000 Wisconsin veterans. An open records request to learn who received the emails from June 1, 2014-April 1, 2015, has not been answered by the WDVA.
“The WDVA has tightened protocols regarding privacy to safeguard sensitive information,” Vigue wrote. “We no longer share the report in question.”
The internal investigation recommended Michalowski and his subordinate, Colin Overstreet, who actually sent the email, be suspended for one day. Both have since left their positions at the WDVA. Neither Michalowski nor Overstreet agreed to comment on what happened.
Multiple requests for an on-camera interview with Scocos were denied. An on-camera interview with his deputy, Kathy Marschman, was canceled less than two hours before it was scheduled. In a meeting to discuss an interview, Marschman said protecting the personally identifiable information of Wisconsin veterans was one of the department’s top priorities, but a review of the department’s 2015-16 strategic plan does not mention that.