Interview transcript:

 

Elizabeth Curda The disability exam process is an important component in the decisions that VA has to make about a veteran’s claim for disability. So for example, if a veteran was injured during their service in Iraq and they have ongoing hearing problems, but they don’t have medical records to substantiate that, they might be asked to do a medical disability exam to establish that they have that condition and it’s connected to their service.

Terry Gerton How much does the VA spend on this, and do they do it all in house?

Elizabeth Curda It’s a very costly program. It used to be done within the VHA hospital systems, Veterans Health Administration, but in recent years they have shifted most of the work to contractors. And VA spends about $5 billion, that was the expenditure in 2024, and the contractors do over 90% of all the disability exams.

Terry Gerton So as GAO got into this report, what motivated you to start it and what did you find?

Elizabeth Curda Well, we had a request from the chairman of the House VA Committee’s subcommittee on disability and memorial affairs, Chairman Luttrell, to look at the quality of these exams. When you have a contractor performing a function for the government, your toolbox in terms of keeping that contractor accountable — you have to be able to assure you have oversight over the quality of the work that they’re doing, in addition to things like timeliness. And so they wanted to know, what is VA doing to oversee the quality of these exams? We took a comprehensive look at all aspects of their oversight, and we found that overall they had a lot of processes in place for oversight in areas such as preventing errors, detecting errors that occur, and correcting them after the fact. So a lot going on, but we did find some areas for improvement and made recommendations.

Terry Gerton I can imagine that the distribution of contracted providers for this service is nationwide, so that oversight is especially critical in helping to ensure that a veteran in Indiana has a similar experience and quality as a veteran in Texas or California. What were the sorts of challenges that you discovered?

Elizabeth Curda Well, we made five recommendations that cut across three broad areas. And those broad areas were, as we found, breakdowns in some of their procedures for identifying and correcting the most frequent or complex issues with exams. We found issues with financial incentive payments that they make to the contractors. We found errors that resulted in overpayments. And we also saw a gap in an important source of feedback, which is the examiners themselves. VA gets feedback from all different parties: the contracting companies, the veterans, but they didn’t have any way to get direct feedback from examiners who are doing the day-to-day work.

Terry Gerton The part of VA that administers this is the Veterans Benefit Administration, not the health administration portion of VA, is that correct?

Elizabeth Curda Yes.

Terry Gerton And so VBA not only manages these exams but also the full disability determination requirement. They must be stretched pretty thin.

Elizabeth Curda That is correct. We have been reporting for years that they are in our high-risk list for managing their workloads. And that is basically the influx of claims and being able to handle those on a timely basis. So yes, they have been historically stretched pretty thin.

Terry Gerton I’m speaking with Elizabeth Curda. She’s a director in the education workforce and income security team at GAO. So Elizabeth, then tell us more about the recommendations that you made particularly.

Elizabeth Curda We made recommendations over two years. Our initial report on this was last September in a hearing, and we had a recommendation for a process that VBA conducts in which they feed to the contractors on a quarterly basis the most frequent errors. The contractors are required on a quarterly basis to write a report to VA on what they’re going to do to correct those errors. Now we found that VA did not have complete and effective practices for how to review these reports. So the quality review people would get these reports back from the contractors, and then everyone would write a little summary based on sort of what they thought they should be doing. But there wasn’t any procedure for, what should they be looking for in these reports? And the two things that we found that were missing were nobody checks to see if the contractors go back and actually do these actions. So there’s no checking to see if the contractors are fixing things. And there’s no effort to determine if those actions were effective or not. Are they seeing the errors go down? What’s the outcome of all this work? So that was one area.

Terry Gerton It sounds like that might be an opportunity to deploy AI. If you’re getting all of these reports in, maybe an AI reviewer could help streamline those and tell you about trends and where to follow up.

Elizabeth Curda Well that is another topic because that is very complex. And VA is really, I mean, we’ve discussed some of their efforts with AI and it’s really kind of at its very beginnings. But yes, potentially.

Terry Gerton And so what was the second recommendation?

Elizabeth Curda The second area also had to do with oversight of exams and it has to do with what they call “special focus reviews.” And these are three areas where they’re very complex and they tend to have a high error rate. It’s traumatic brain injury, military sexual trauma, and Gulf War illness. So they had a procedure to do these every two years. And they had done one round of the reviews, but they were late — over a year late — doing another round of reviews. And so we recommended that they basically do the second round of reviews on schedule. We subsequently, in the course of our work, learned that their staff have been cut by about 50% of the folks who were doing this particular function. And so they said in response to us that they will be switching to a three-year cycle, which in our view was, it’s better than no years. But we think the two-year cycle would be ultimately better because then you identify things that are working or not working and can take corrective action sooner. They also have begun negotiations on their new contracts for these contractors, which are long term, you know, they were multi-years, and things that they’re finding from these special focus reviews could be built into those contracts. But only if they’re done in a timely manner.

Terry Gerton Did you get any feedback from the providers themselves about how this process was working?

Elizabeth Curda We checked in with the people who do the disability exams, we call them the examiners, and we randomly selected examiners to talk to. And what we found is universally they felt they wanted opportunities to provide feedback about the exam process directly to VBA. Currently the process is, because they work for a contractor, all that feedback would go through the contractor up to VBA. And VBA basically told us, “we get all that feedback, the contractor gives us feedback.” But what we heard from the examiners is, you know, they don’t always feel they’re being listened to, they don’t always have their problems addressed, and they also sometimes get conflicting information if they work for more than one contractor. Different contractors will tell them to do things differently, and they don’t think that both can be right. But they have a hard time resolving these things themselves.

Terry Gerton So better communication, more checking. What else was on the list?

Elizabeth Curda The last area had to do with these financial incentive payments. The way VBA incentivizes good performance is they have these three areas: quality, timeliness, and customer satisfaction. And they measure, for each of the contractors, how well they do in those dimensions. And they feed that into a formula that will produce a bonus payment to contractors that score particularly well and penalties for those that are not meeting basic thresholds. And what we found was the way they calculate these is on a spreadsheet with a lot of manual data entry, and they were doing manual calculations as well. And there wasn’t a procedure in place to double-check the numbers, the data entry. They were doing some checking, but it wasn’t formalized. And so when we reviewed the numbers, we found that VBA had caught some of its errors on its own, but we found some that they hadn’t caught. And it was about $2.3 million worth of errors — bonuses that went out to contractors that did not earn them. And that really just sends … it’s the wrong message. You’re getting paid and you didn’t actually earn it.

Terry Gerton Exactly. How has VBA responded to your findings and recommendations?

Elizabeth Curda VBA agreed, or they use the term agree in principle when they sort of agreed, with all the recommendations. They actually have reported that they’re taking action on all of them, and some I think are very close to being implemented, such as the one on financial incentives. They told us there was a hearing on this last week, and they said that they actually have gotten the money back from the contractor and they are putting in place these new procedures. We just haven’t seen that documentation yet. But you know, when we do we’ll evaluate whether we can close that one or not. But all of them are sort of in the works, you know, in various stages of completion.

Terry Gerton So will you be following up with VBA to check how they’re doing?

Elizabeth Curda Oh, certainly. And we always follow up on our recommendations at least annually, but sometimes more than that, just depending on when they have updates for us.

The post The first step in a veteran’s disability claim can make or break the outcome first appeared on Federal News Network.

A government watchdog is sounding the alarm about a growing national security threat online. Rather than a traditional cyberattack, however, this one comes from the everyday digital footprints service members and their families leave across the internet. 

A new Government Accountability Office report warns that publicly accessible data — from social media posts and location tracking to Defense Department press releases — can be pieced together by malicious actors to identify military personnel, target their families and disrupt military operations.

According to GAO, while the Pentagon has taken some steps to address the threat, its efforts remain scattered, inconsistent and lack coordination. 

“We found that the department recognized that there were security issues, but they weren’t necessarily well-prepared to respond to them because it was new, because it didn’t necessarily neatly fit into existing organizational structures or policies or doctrines, and that’s a consistent story with the department,” Joe Kirschbaum, director of the defense capabilities and management team at GAO, told Federal News Network. 

To understand the risks posed to DoD personnel and operations that come from the aggregation of publicly accessible digital data, the watchdog conducted its own investigation and built notional threat scenarios showing how that information could be exploited. GAO began by surveying the types of data already available online and also assigned investigators to scour the dark web for information about service members. 

In addition to basic social media posts, investigators found data brokers selling personal and even operational information about DoD personnel and their families — information that can be combined with other publicly available data to build a more complete profile. 

“Once you start putting some of these things together, potentially, you start to see a pattern — whether it’s looking at individuals, whether it’s the individuals linked to military operational units or operations themselves, family members. Nefarious actors can take these things and build them into a profile that could be used for nefarious purposes,” Kirschbaum said. 

One of GAO’s threat scenarios shows how publicly accessible information can expose sensitive military training materials and capabilities. Investigators found that social media posts, online forums and dark-web marketplaces contained everything from military equipment manuals, detailed training materials, and photos of facility and aircraft interiors. When combined, these digital footprints can reveal information about equipment modifications, strategic partnerships or potential vulnerabilities, which can be used to clone products, exploit weaknesses or undermine military operations. 

And while DoD has identified the public accessibility of digital data as a “real and growing threat,” GAO found that DoD’s policies and guidance are narrowly focused on social media and email use rather than the full range of potential risks from aggregated digital footprints. 

For instance, the DoD chief information officer has prohibited the use of personal email or messaging apps for official business involving controlled unclassified information. But that policy doesn’t address the use of personal accounts on personal devices for unofficial tasks involving unclassified information — such as booking travel, accessing military travel orders, or posting on social media — activities that can pose similar risks once aggregated.

In addition, DoD officials acknowledged that current policies and guidance do not fully address the range of risks created by publicly accessible digital information about DoD and its personnel. They said part of the challenge is that the department has limited authority to regulate actions of DoD personnel and contractors outside of an operational environment.

“In general, except for the operation security folks, the answer was they didn’t really consider this kind of publicly available information in their own sphere. It’s not like they didn’t recognize there’s an issue, but it was more like, ‘Oh yeah, that’s a problem. But I think it’s handled in these other areas.’ Almost like passing the buck. They didn’t understand, necessarily, where it was handled. And the answer was, it should probably be handled collectively amidst this entire structure,” Kirschbaum said. 

The officials also said that while they had planned to review current policies and guidance, they “had not collaborated to address digital profile risks because they did not believe the digital profile threat and its associated risks aligned with the Secretary of Defense’s priorities,” including reviving warrior ethos, restoring trust in the military and reestablishing deterrence by defending the homeland. 

“One of our perspectives on this is we know we’re not sure where you would put this topic in terms of those priorities. I mean, this is a pretty clear case where it’s a threat to the stability and efficacy of our military forces. That kind of underlines all priorities — you can’t necessarily defend the homeland with forces that have maybe potential operational security weaknesses. So it would seem to kind of undergird all of those priorities,” Kirschbaum said. 

“We also respect the fact that as the department’s making tough choices, whether it’s concentrations of policy, financial and things of that nature, they do have to figure out the most immediate ways to apply dollars. For example, we’re asking the department to look across all those security disciplines and more thoroughly incorporate these threats in that existing process. The extent they’re going to have to make investments in those, they do have to figure out what needs to be done first and where this fits in,” he added.

GAO issued 12 recommendations to individual components and agency heads, but at its core, Kirschbaum said, is the need for the department to incorporate the threat of publicly available information into its existing structure. 

“In order to do that, we’re asking them to use those existing structures that they do have, like the security enterprise executive committee, as their collaborative mechanism. We want that body to really assess where the department is. And sometimes they’re better able to identify exactly what they need to do, rather than us telling them. We want them to identify what they need to do and conduct those efforts,” he said.

The post DoD failing to address growing security threats posed by publicly available data first appeared on Federal News Network.