The Department of Veterans Affairs' Office of Inspector General found that the agency's IT office wrongly labeled a patient-advocate communication system as "low risk," leaving sensitive veteran medical records with fewer security controls than required.

 

What happened

The VA's Office of Information Technology moved the Patient Advocate Tracking System-Replacement (PATS-R) to the cloud and the Office of Strategic Initiatives in November 2023 without completing all necessary risk management steps. Veterans Health Administration staff use PATS-R to document communications with veterans. The OIG found the system's "low risk" categorization jeopardized the confidentiality, integrity, and availability of veterans' data, despite the system granting access to patient medical records. Following the OIG's preliminary findings in March 2025, OIT raised the risk categorization to moderate. The OIG conducted its audit from March 2025 through January 2026.

 

Going deeper

  • A survey of PATS-R users found 77% did not know the system let them view veteran medical records.
  • 89% of surveyed users said losing that access would not affect their job responsibilities.
  • The OIG determined the moderate risk categorization may still fall short because access controls were not functioning as intended.
  • The program office was not consistently reviewing users to confirm they were authorized to use PATS-R based on their roles.
  • The VA did not automate the user deactivation process until May 2025.

 

What was said

The OIG report stated that the low-risk categorization "potentially jeopardized the confidentiality, integrity, and availability of veterans' data."

The report also noted that low risk means the loss of data's "confidentiality, integrity, or availability could be expected to have a limited adverse effect," a standard the OIG found inappropriate for a system with access to patient medical records.

 

Why it matters

PATS-R exists so VHA staff can log their communications with veterans, yet the system's incorrect risk categorization meant it carried weaker security controls than a system with direct access to medical records should have. The survey results show a gap between the system's actual capabilities and how it's used day to day. Most users didn't realize they could view medical records through PATS-R, and the majority said they didn't need that access to do their jobs. That mismatch is exactly what the OIG flagged as a risk, broad and unmonitored access to sensitive health data that wasn't being reviewed to confirm it matched users' actual roles.

 

The bottom line

The VA has agreed to all of the OIG's recommendations, including re-evaluating whether PATS-R needs medical record access at all, updating training materials, and regularly reviewing who has authorized access.The OIG has already closed the recommendation calling for a higher risk categorization, but the question of whether a communications-logging tool should carry medical record access remains part of the agency's ongoing corrective work.

 

FAQs

What is PATS-R used for?

It's a system Veterans Health Administration staff use to document their communications with veterans.

 

What does a "low risk" categorization mean for a federal IT system?

It signals that a system's data can be protected with fewer security controls because a breach is expected to cause only limited harm.

 

Why might a communications-logging system have access to medical records in the first place?

Systems built to track interactions with patients often get bundled access to related records so staff can reference context without switching platforms.

 

What does it mean for a system to "inherit" security controls from a cloud provider like Microsoft Azure?

It means the system automatically takes on the baseline security protections already built into the cloud platform hosting it, rather than needing separate controls built from scratch.