A Department of Veterans Affairs (VA) Office of Inspector General (OIG) audit released on July 7 found that the Veterans Health Administration’s (VHA) Patient Advocate Tracking System-Replacement (PATS-R) lacked adequate security and access controls to safeguard veterans’ sensitive personal information.
According to the report, the VA’s Office of Information and Technology (OIT) incorrectly categorized the system as low risk, resulting in fewer security controls than appropriate for an application that stores veterans’ personal and medical information. The audit period was from March 2025 through January 2026.
Although VA officials took several corrective actions during the audit, the OIG issued five recommendations to strengthen system governance, user access controls, and training materials.
“Without effective security and access controls and without sufficient oversight and guidance, the Office of Patient Advocacy cannot effectively fulfill its legal obligation to protect veterans’ sensitive information from unauthorized access,” the report says.
The audit found that the department did not reassess PATS-R’s security categorization after the application was moved to a cloud-based environment and transferred to a different oversight organization in November 2023.
As a result, the system continued operating under a low-risk designation despite handling sensitive personal information that warranted stronger protections, according to the OIG. During the audit, OIT updated the system’s categorization to moderate risk and implemented additional privacy controls, but the watchdog said that designation may not be enough.
“The moderate risk level may still be insufficient because access controls were not working as intended and because the program office was not consistently reviewing users to ensure they were authorized to use PATS-R based on their roles,” the report warns.
The OIG also found that access controls intended to limit who could view veterans’ medical records were not functioning properly. Some employees retained access to medical records despite no longer needing it for their job duties, while many authorized users reported they did not use PATS-R to access medical records and instead relied on other VA systems.
Survey results cited in the report found that 77% of respondents were unaware that PATS-R could access medical records, and 89% said losing that capability would not affect their work.
The report also identified governance shortcomings within VHA’s Office of Patient Advocacy, including inconsistent reviews of user roles, outdated training materials, and a lack of standardized guidance for provisioning and removing user accounts.
During the audit, VA automated the process for removing inactive accounts after 90 days, but the OIG said additional oversight remains necessary to ensure users retain only the access required for their duties.
The OIG made five recommendations to ensure PATS-R is correctly assessed and categorized, that system users have a need to access veterans’ medical records, that user roles are correctly configured, and that users have updated guidance. VA concurred with all five recommendations.