Two VA Employees Covered Up Privacy and Security Risks of Data Project with Flow Health

Two personnel of the Department of Veteran Affairs’ (VA) information technology allegedly made false representations regarding the privacy and security risks of a huge data AI project involving the VA and a private firm that could have led to the input of the personal and confidential health information of millions of veterans into the AI program.

The VA Office of Inspector General (OIG) conducted an administrative investigation of the likely conflict of interest associated with a 2016 cooperative research and development agreement (CRADA) involving the VA and a private firm.

The objective of the collaboration was to help veterans stay healthy and well by utilizing the AI and deep learning systems created by Flow Health. The project is geared towards determining common factors that make persons vulnerable to disease, discovering potential remedies and probable side effects to tip-off care decisions, and boosting the reliability of diagnoses.

The CRADA could have shared the private and confidential health information, such as genomic information, of all veterans who had obtained healthcare treatment at the VA to Flow Health. The senior VA IT leaders became aware of the deal in November 2016 after the media covered the press release of Flow Health launching the new project.

The CRADA was approved however was unilaterally ended in December 2016 prior to the transmission of any veteran data. The VA’s IT leaders asked the OIG to perform an investigation into probable conflicts of interest of the two VA employees and Flow Health last December 2016.

The CRADA would have shared the private and confidential health information for 5 years with Flow Health. Flow Health mentioned that the project is envisioning the creation of the world’s biggest knowledge graph of medicine and genomics with more than 30 petabytes of longitudinal clinical information taken from 22 million veterans’ VA records covering about 20 years. To secure the privacy of veterans, all patient data will be de-identified during analysis.

One VA personnel was a Veterans Health Administration health system specialist assigned at the VHA central office, while the other was an Office of IT program manager. OIG looked into the probability that one or both employees had financial conflicts of interest associated with the agreement with Flow Health. Although OIG did not find any financial conflicts of interest, the employees did cover up material data regarding the privacy and security threats of the venture and misrepresented the risks so that the project was okayed with false pretenses.

In the report regarding the False Statements and Concealment of Material Information by the VA Information Technology Staff, it was stated that the VA official assigned to approve or reject the project proposal asked the employees to give an answer regarding the cybersecurity effects of the Flow Health project.

OIG explained the two employees hid facts from the VA official and didn’t disclose the concerns of subject matter experts regarding the privacy and security of the project. The two personnel additionally gave false reports to the VA official concerning the privacy and security reviews and suggested that all issues were already resolved. They furthermore recommended to the VA official to execute the project with Flow Health.

The OIG forwarded the issue to the Department of Justice, which refused to prosecute the two personnel. The OIG advised the VA to find out if administrative actions must be undertaken in connection with the employees’ behavior, and the VA agreed with the recommendation.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at