- The watchdog found weaknesses in PATS-R safeguards that exposed sensitive veteran information
- Auditors identified gaps in system classification, access management and privacy documentation
- Many users said they did not realize the system provided access to medical records
The Department of Veterans Affairs Office of Inspector General found that the Patient Advocate Tracking System-Replacement, or PATS-R, lacked adequate security controls to protect veterans’ sensitive information during a review covering March 2025 through January 2026.
The Potomac Officers Club’s 2026 Healthcare Summit on Dec. 3 will explore data privacy, AI and other priorities shaping the future of federal healthcare. Register now.
What Security Issues Did the OIG Identify?
According to the audit report issued Tuesday, PATS-R was incorrectly categorized as a low-risk system after oversight shifted in late 2023 and the application migrated to a cloud environment. The OIG said the VA Office of Information and Technology did not complete all required steps under the federal risk management framework. In particular, the OIT failed to update the system’s privacy impact assessment.
OIT reclassified the system as moderate impact in March 2025, but the change did not resolve issues with access controls. The program office also did not consistently verify whether users were authorized to access the system.
The audit also noted that many PATS-R users did not know the system allowed access to medical records, and most said they could perform their responsibilities without that access.
Furthermore, the inspector general found that the Veterans Health Administration’s Office of Patient Advocacy did not provide sufficient oversight to ensure proper role provisioning, timely account removal or updated user training.
What Recommendations Did the OIG Make?
The OIG issued five recommendations. It called on OIT to ensure security authorizations are reassessed whenever significant changes affect an application’s security or privacy posture and to reevaluate PATS-R’s risk determination and security categorization. It also recommended that the Veterans Health Administration determine whether continued access to veterans’ medical records is necessary, establish regular reviews of user roles to enforce least-privilege access, and update PATS-R user guides and training materials.
The audit adds to a series of federal oversight reviews examining the VA’s management of health information technology systems. In July 2025, the Government Accountability Office identified leading practices for the department’s electronic health record modernization, recommending improvements in governance, implementation and workforce management.
The OIG’s findings also follow a June 2025 GAO review of the VA’s online appointment scheduling modernization, which found shortcomings in project planning and requirements management and recommended stronger oversight by the VHA and OIT.






