Audit of Security and Access Controls for the Patient Advocate Tracking System-Replacement
Report Information
Summary
Patient advocates document interactions with veterans in the Patient Advocate Tracking System-Replacement (PATS-R), which contains personally identifiable and health information that VA is required to protect. The VA OIG conducted this audit to determine whether PATS-R had adequate security controls from March 2025 through January 2026 to safeguard veterans’ sensitive information in accordance with federal law and information security standards.
The OIG found that PATS-R received an inappropriate low risk categorization when oversight of the system shifted portfolios in late 2023 and the system migrated to a cloud environment. During the transition, VA’s Office of Information and Technology (OIT) did not follow all the steps of the required risk management framework, including revisiting the privacy impact assessment. As a result, the confidentiality, integrity, and availability of veterans’ information were put at potential risk. Although OIT updated the system risk categorization to moderate impact in March 2025, access controls still did not function as intended, and the program office did not consistently validate that users were authorized. The OIG also found many users were unaware they could access medical records through PATS-R, and most reported that losing such access would not affect their duties.
Additionally, the Office of Patient Advocacy did not provide adequate oversight or guidance to ensure proper role provisioning, account removal, or training updates. Without effective governance and security controls, veterans’ sensitive information remained vulnerable to unauthorized access.
In response to the OIG’s preliminary findings, OIT updated the system’s categorization to moderate impact, restricted unauthorized access to medical records, and automated the deactivation of inactive accounts. While these actions represented progress, further improvements are needed. VA concurred with the OIG’s five recommendations. Based on actions taken and evidence provided by VA, the OIG considers recommendation 1 of the report closed.
Ensure that authorizations are reassessed when a significant change affects the security or privacy posture of an application, consistent with the requirements of VA Handbook 6500.
Reevaluate the risk determination for the Patient Advocate Tracking System‑Replacement and determine the appropriate security categorization level and system classification based on (1) the sensitive personal information maintained in the system and (2) the System Security Categorization Report.
Reevaluate whether there is a continued business need to maintain access to veterans’ medical records in the Patient Advocate Tracking System-Replacement.
Institute a process to ensure user roles are regularly reviewed for continued access and evaluate the effectiveness of the access control principle of least privilege to ensure roles for the Patient Advocate Tracking System-Replacement are correctly configured and allow access only for authorized users.
Update the Patient Advocate Tracking System-Replacement user guides and training materials.