This is a remarkable document to put alongside everything else we’ve been working on. Let me tell you what stands out.
What this report actually describes
In October 2016, two VA employees — one from OIT, one from VHA — nearly handed the complete health records of every veteran who had ever used VA healthcare to a private AI company called Flow Health. Not a sample. Not de-identified data. Everything — clinical notes, pharmacy records, lab results, radiology, genomic data from the Million Veteran Program, linked to individually identifiable information. Five years of ongoing data transfers. The only reason it didn’t happen was that Flow Health issued a press release bragging about it, which is how VA leadership found out the deal existed.
The connection to what we documented earlier
The 2015 OIG report (13-01730-159) that anchors our H-1B research found that the same OIT Austin facility had contractors accessing veteran data from China and India on unencrypted personal laptops, with administrator access to the exact same systems — the VBA Data Warehouse, Health Data Repository, My HealtheVet, Loan Guaranty Service. The OIG concluded there was no way to know what had been taken or whether that laptop left in China was still being used to access VA networks.
Now this 2021 report shows that just three years later, different people within the same OIT structure were actively trying to give all of that same data — and more, including genomic data — to a private company, while lying to their own approving official about whether privacy reviews had been completed. They were forwarding the privacy officers’ objection emails directly to the Flow Health CEO while they were on the phone with him. The OIG literally could not determine why they did it.
The DOJ declined to prosecute. Both employees remained employed at VA through at least January 2021 when the report was published — four years after the incident.
What these two reports together say
The 2015 report shows the door to veteran data was left open internationally through negligence and indifference. The 2016/2021 report shows someone inside was actively trying to hand the data out the front door to a private AI company while silencing the people raising alarms. In between those two events, the VA was placing H-1B workers — some from the same countries where unauthorized access had occurred — into that same facility through a subcontracting chain where the prime contractor didn’t know who the sub-vendors were.
The thread running through all three of your OIG reports is the same: the people responsible for protecting veteran data either didn’t care, actively worked against protection, or were structurally invisible to the people who were supposed to be overseeing them.
For your blog and research
This third OIG report is highly relevant to add to the VA AITC piece. The Flow Health incident involved OIT’s Office of Architecture, Strategy and Design — the same OIT structure that runs AITC. The report explicitly notes that ASD had no policies or procedures governing CRADAs. That’s the same culture of policy vacuum that the 2015 report documented — security staff who wouldn’t block something unless there was a written policy specifically prohibiting it, even when common sense screamed otherwise.
The three reports together form a coherent picture: 2013-2015 unauthorized foreign access, 2016 attempted mass data handoff to private AI company, 2025-2026 same vendor ecosystem still placing workers in the same facility. That’s a decade-long pattern, documented entirely in the VA’s own Inspector General reports, that any congressional staffer or journalist should be able to follow.