WASHINGTON — The U.S. Department of Veterans Affairs said sensitive personal information concerning employees’ vaccination status was improperly disclosed last fall.
Following an investigation by the department’s Data Breach Response Service, the agency removed a spreadsheet containing personnel details, according to a notice sent to the agency’s bargaining unit employees that was obtained by Federal Times.
“Upon internal review, the VA agrees that the information contained in these documents should not have been placed on SharePoint without appropriate access permissions and this incident resulted in the inadvertent or unauthorized transmissions or disclosure of sensitive personal information,” it said.
A VA spokesperson did not immediately respond to emailed requests for comment. The notice said that agency will complete any additional required investigations.
The data included employees’ names and whether or not they had been vaccinated or exempted, according to the American Federation of Government Employee’s National VA Council, which filed a grievance. About 500,000 employees’ records of vaccination status were disclosed without permission and were sent to various members of Veterans Health Administration senior leadership, the union said.
The information did not show the basis for which an exception was granted to the agency’s vaccine mandate, whether for medical or religious reasons, said Sarah Hasan, an NVAC attorney.
“We knew they were collecting this information, but we didn’t realize that they were actually pulling it and aggregating it for senior staff to inform them who was vaccinated [and] who was not vaccinated,” she told Federal Times in an interview.
The union alleged that many recipients did not need to be privy to this information and that employees did not give express written consent beforehand, constituting a Privacy Act violation.
Hasan said that the links to the files were live for about two hours before the VA took them down, but anyone who had received the email or had a link to that SharePoint site was able to view the data, whether from a home or work computer.
“It’s not that they can’t collect this information necessarily, or that they can’t disclose it to certain individuals,” Hasan said. “But it was just the the scope of the disclosure, it really exceeded its authority.”
Molly Weisner is a staff reporter for Federal Times where she covers labor, policy and contracting pertaining to the government workforce. She made previous stops at USA Today and McClatchy as a digital producer, and worked at The New York Times as a copy editor. Molly majored in journalism at the University of North Carolina at Chapel Hill.