GAO Warns VA's Sensitive Data Faces Security Risks

Why it Matters

The Department of Veterans Affairs (VA) holds some of the most sensitive data in the federal government: the genetic profiles, medical histories, and mental health records of millions of Americans who served in uniform. A new Government Accountability Office (GAO) report, publicly released May 21, 2026, found that while the VA has made meaningful strides in veterans affairs data protection, significant cybersecurity gaps persisted in a program housing the genetic data of roughly one million veterans. The findings arrive at a moment when federal data security is under intense public scrutiny.

The Big Picture

The VA's Million Veteran Program (MVP), launched in 2011, is the nation's largest biorepository of veteran data. Approximately one million veterans have enrolled, voluntarily contributing blood samples, health surveys, and personal histories to advance research into how genetics, lifestyle, military service, and environmental exposures shape long-term health outcomes.

The program's scale is its strength — and its vulnerability. The sheer volume of sensitive biological and health data concentrated in a single research infrastructure makes it a high-value target, and the GAO found that the cybersecurity controls protecting that infrastructure were not fully up to the task.

Auditors identified deficiencies in four core areas of protected health information security within a key system supporting the MVP:

• Asset and risk management — tracking what systems and data exist, and what threats they face
• Configuration management — ensuring systems are set up securely and consistently
• Identity and access management — controlling who can access sensitive data and under what conditions
• Continuous monitoring and logging — detecting and recording unusual activity in real time

Together, these gaps gave the VA "reduced assurance of the confidentiality and integrity" of sensitive health information stored in the MVP system, according to the report.

What They're Saying

The GAO's findings were not new to the VA. In September 2025, the watchdog delivered a sensitive, limited-distribution version of this report directly to agency officials, accompanied by 13 specific recommendations to address the cybersecurity deficiencies. That version was withheld from the public to avoid disclosing details that could be exploited by bad actors.

The May 2026 report is a public version of that earlier document, with sensitive technical details removed. It also provides a status update on where the VA stands in implementing the corrective actions GAO recommended.

The picture, as of March 2026, is one of partial progress. The VA had fully implemented nine of the 13 recommendations. Three others were partially implemented. The remaining one recommendation's status was not explicitly detailed in the public version of the report. GAO said it will continue to monitor the agency's progress.

Yes, but

Not all of the report's findings were critical. On the question of how the VA manages its relationships with outside contractors and vendors — known in federal health law as "business associates" — the agency earned a clean bill of health.

The Veterans Health Administration (VHA) routinely shares protected health information with external service providers who help create, maintain, and transmit that data. Under the Health Insurance Portability and Accountability Act, those relationships must be governed by formal agreements that spell out privacy and security obligations.

GAO reviewed 73 randomly selected Protected Health Information sharing agreements between the VA and its business associates. Every single one included all 12 required HIPAA Privacy Rule provisions governing the use and disclosure of protected health information. The VHA also documented its responsibilities for conducting performance audits to verify that those external partners are actually protecting veterans' data as required.

Healthcare cybersecurity compliance in this area, the report suggests, is working as intended.

The Bottom Line

The stakes of getting this right extend well beyond regulatory compliance. Veterans who enrolled in the Million Veteran Program did so on the understanding that their most intimate biological data — their DNA — would be used for research, not exposed to unauthorized access. A breach of that data would not only violate veteran privacy protection in the most personal sense, but could also have long-term consequences for veterans and their families, including the potential exposure of heritable health information.

In a broader context, the federal government has faced repeated, high-profile failures to protect sensitive personal data. The 2015 breach of the Office of Personnel Management, which exposed background investigation files on more than 21 million federal employees and contractors, remains a benchmark for what can go wrong when cybersecurity controls fail to reflect the sensitivity of the data being protected.

The VA's MVP program holds comparably sensitive data. The GAO's findings suggest that the agency understood the cybersecurity problem — it accepted all 13 recommendations — and has moved to address most of them. But with four deficiency areas identified and at least four recommendations not yet fully implemented as of March 2026, the work is not finished.

Access the Legis1 platform for comprehensive political news, data, and insights.