The U.S. Office of Special Counsel (OSC) today announces three U.S. Department of Veterans Affairs (VA) whistleblowers as recipients of the 2024 OSC Public Servant award.
“These three whistleblowers achieved an outstanding result and brought needed change to VA operations," said Special Counsel Hampton Dellinger. “The investigation spurred by their disclosure uncovered thousands of instances in which personal information was not properly protected and was accessible to VA employees across the agency regardless of the employees' need to know. This case illustrates how OSC's disclosure process is a vital mechanism that ensures executive agencies meet their obligations and strengthens the public's trust in its government. It is my honor to recognize these brave whistleblowers with OSC's 2024 Public Servant award."
The whistleblowers, former-Senior Program Manager Peter Rizzo, Program Analyst Kristen Ruell, and another VA employee who chose to remain anonymous, disclosed to OSC that agency officials violated federal law and VA policies by improperly storing personally identifiable information (PII). The information of whistleblowers, veterans, and employees was left unprotected in the agency's internal electronic casework system known as “Veterans Affairs Integrated Enterprise Workflow Solution Case and Correspondence Management" or VIEWS CCM system.
The VA uses VIEWS CCM to conduct administrative and correspondence work. Roughly 260 cases are created in VIEWS CCM each business day, which retains information on veterans, their dependents, and VA employees, including whistleblowers and contractors. A VA directive requires PII to be kept confidential and properly controlled, and VA employees using VA information systems must comply with all privacy policies, procedures, and practices.
The investigation substantiated that searching in VIEWS CCM returned numerous cases containing PII that any user could view. The investigation also discovered that VIEWS CCM has a Veterans Contacts Database that contains veterans' PII such as DOBs, SSNs, personal addresses, and phone numbers.
In response to these findings, the VA implemented several corrective actions to protect open and closed cases containing PII in the relevant systems, to ensure employees properly designate and protect cases in the future, and to provide appropriate tracking and user oversight. The changes include: converting all open and closed cases in VIEWS CCM to “Sensitive" status; changing all archived cases to “Sensitive" status; restricting access to only users with a validated business need for the information; and changing the default indicator to “Sensitive" for all correspondence received from OSC, the Office of Accountability and Whistleblower Protection, and Offices of Inspectors General.
***