1. What Almost Happened
On October 28, 2016, a senior official in the VA's Office of Information and Technology signed a Cooperative Research and Development Agreement (CRADA) with a private AI company called Flow Health, Inc. Under the terms of that agreement, the VA committed to giving Flow Health access to the complete health records of every veteran who had ever received care from the VA — tens of millions of people. Not a sample. Not anonymized data. Everything.
The data included clinical notes, pharmacy records, laboratory results, radiology images, pathology reports, diagnostic records, and patient-generated data — all linked to individually identifiable information. It also included the genomic data of veterans enrolled in VA's Million Veteran Program, a national research database containing the DNA of hundreds of thousands of American veterans. The agreement called for this transfer to continue for five years, with VA providing Flow Health current, ongoing health data throughout that period.
The CRADA defined health data to include: "clinical (structured and unstructured data), claims, pharmacy, laboratory, radiology, pathology, diagnostic, patient-generated and molecular data (e.g., microbiome, DNA, RNA, proteomics) with Individually Identifiable Information allowing the integration of VA data with external individually identifiable data sets."
It also included veterans' genomic data from the Million Veteran Program — DNA collected from veterans who trusted VA to protect it.
Source: VA OIG Report #17-01980-201, p. i, footnote 3
VA leadership — the Under Secretary of Health and the Chief Information Officer — never knew this agreement existed. They found out on or about November 30, 2016, when Flow Health issued a press release announcing the deal, complete with the official VA seal and the VA slogan "VA HEALTHCARE – Defining EXCELLENCE in the 21st Century." Using the VA seal in that way violated the terms of the very CRADA Flow Health was bragging about.
VA terminated the agreement on December 20, 2016. No veteran data was actually transferred. But the fact that the deal got as far as it did — signed, executed, and nearly operational — is the story.
2. How It Was Done: False Statements to the Approving Official
The OIG investigated for over four years before publishing its findings in January 2021. What it found was not incompetence. It was a sustained, deliberate campaign of false statements and concealment that lasted from September through October 2016.
Two VA employees drove the deal: an OIT program manager who served as the CRADA Leader, and a VHA health system specialist who served as the VA Principal Investigator. The approving official — the person who actually signed the agreement — did so because he was repeatedly told that privacy, security, and legal reviews had all been completed and approved. They had not been.
Three separate VA privacy experts raised significant objections before the CRADA was signed. All three were ignored, their concerns were hidden from the approving official, and in several cases their warning emails were forwarded directly to the Flow Health CEO — while the OIT program manager was on the phone with him.
The Three Experts Who Were Ignored
| Who | Date | What They Said | What Happened |
|---|---|---|---|
| OIT Privacy Official Associate Deputy Assistant Secretary for OIT Policy, Privacy & Incident Response |
Oct 6, 2016 | Raised 5 specific concerns: no dedicated privacy staff, no privacy training for Flow Health employees, wrong BAA template used, BAA less restrictive than national standard, insufficient breach notification language. Said: "I would much rather err on the side of caution when dealing with PII/PHI." | OIT program manager removed the approving official from the email thread. Forwarded the warning email to the Flow Health CEO. Never told the approving official. |
| VHA Privacy Officer Director, VHA Information Access & Privacy Program Office |
Oct 12, 2016 | Told the OIT program manager and VHA employee that HIPAA bars use of PHI for research without proper authorization. Cited 45 CFR § 164.501. Said she had "various privacy concerns" about the CRADA itself. | No response from either employee. Approving official never notified. OIT program manager forwarded her email to the Flow Health CEO while on the phone with him. |
| VHA Regulatory Affairs Official Associate Director of Regulatory Affairs, VHA Office of Research & Development |
Oct 12, 2016 | Identified human subject protection issues. Found that MVP genomic data was included without the MVP team's knowledge or consent. Called the OIT program manager and left a voicemail saying he could not use MVP data. Said in her experience, "usually that raises the alarms and everything stops." | OIT program manager did not return the call. No response to the email. MVP team confirmed they had no idea their data was included. Approving official never notified. |
The False Statements — In the Employees' Own Words
The OIG documented multiple specific false statements made to the approving official. Each one occurred shortly before or during a phone call with the Flow Health CEO.
2016
"The CRADA project proposal, patient data access and privacy implications, were reviewed and approved by both VA OIS and OGC."
This was false. OIS had not reviewed the CRADA for privacy. OGC's approval was based on a prior misrepresentation that VHA privacy officials had already cleared it — they hadn't even seen it yet. Phone records show this email was sent while the OIT program manager was on the phone with the Flow Health CEO.
2016
"We completed the necessary reviews per our conversations and the CRADA is ready for your signature."
This was a concealment of material fact. Hours earlier, the OIT privacy official had sent significant unresolved concerns. The approving official had been removed from that email thread and never saw them. Sent while on phone with Flow Health CEO.
2016
"We completed a review and have concurrence on privacy and security."
This was false. There was no concurrence. The OIT privacy official's concerns remained unaddressed and had never been communicated to the approving official. Sent immediately after a call with the Flow Health CEO.
2016
"Yes. OIS has reviewed and approved both the CRADA and the BAA."
This was false on both counts. OIS never reviewed or approved the CRADA. OIS had not yet reviewed the BAA — that approval didn't come until two days later, October 19. Sent while on phone with Flow Health CEO.
2016
"We have approval from Privacy, Security and Legal."
This was false. Privacy approval did not exist. The OIT privacy official, VHA privacy officer, and regulatory affairs official had all raised unresolved concerns. Legal approval was based on an earlier misrepresentation. Sent while on phone with Flow Health CEO.
2016
He later told OIG investigators: "Everybody that I thought was supposed to… said it looked fine, and that's why I signed the CRADA." He also said that if he had been told of the concerns, "I think that would have led me in a different direction."
The OIG documented that multiple false statements to the approving official were made either while the OIT program manager was on the telephone with the Flow Health CEO or immediately after those calls. The OIT program manager also forwarded the VHA privacy officer's objection email directly to the Flow Health CEO — while on a call with him — before the approving official ever saw it.
Source: VA OIG Report #17-01980-201, Appendix B
3. What the Data Actually Was
It is worth being specific about what was nearly transferred, because the scale is difficult to comprehend. The VA is the largest integrated healthcare system in the United States, with 170 medical centers and over 1,000 outpatient facilities serving 9 million enrolled veterans. Every clinical encounter, every prescription, every lab draw, every imaging study — all of it sits in VA's systems.
- Clinical records — both structured data (diagnoses, medications, procedures) and unstructured data (physician notes, nursing notes, consult reports)
- Claims data — every service billed, every benefit accessed
- Pharmacy records — every medication, every dosage, every refill
- Laboratory results — blood work, cultures, pathology
- Radiology and imaging — X-rays, CT scans, MRIs
- Genomic data from the Million Veteran Program — DNA, RNA, microbiome, proteomics, collected from veterans who enrolled specifically to support VA research and who had no idea their genetic information was being offered to a private company
- Individually Identifiable Information — names, Social Security numbers, dates of birth, addresses — linked to all of the above and designed to allow integration with commercial health data from private insurers
The Million Veteran Program element is particularly significant. Veterans enrolled in MVP gave their DNA to the VA for VA research. The CRADA would have transferred that genomic data to a private AI company without their knowledge or consent. The regulatory affairs official who caught this called the MVP team to ask if they knew — they did not.
The OIG's summary states directly: "As a result of the OIT program manager's and the VHA employee's actions, the health data of tens of millions of veterans would have been placed at risk of disclosure had the contract not been cancelled."
The contract was cancelled because Flow Health issued a press release. Not because internal controls caught it. Not because a whistleblower stopped it. Because the company told the press.
4. The Policy Vacuum That Made It Possible
The OIG found something that deserves as much attention as the false statements themselves: the office that executed this agreement — OIT's Office of Architecture, Strategy and Design (ASD) — had no policies or procedures governing CRADAs. None. Zero. The office had been designated as a federal research laboratory in April 2015 and given authority to execute research agreements, but it operated with no written rules about how to do so safely.
This mirrors exactly what the 2015 OIG investigation found about remote access policy at the same VA IT structure: security employees who would not block potentially dangerous activities unless a written policy specifically prohibited them, even when personal judgment and expert opinion screamed that something was wrong. In 2013 it was unauthorized access to VA systems from China and India. In 2016 it was the attempted transfer of tens of millions of veterans' health records to a private company. In both cases, the people doing it found no written rule saying they couldn't — and that was enough.
ASD had authority to enter CRADAs under the Federal Technology Transfer Act. Its research activities were outside the purview of VHA's Office of Research and Development — meaning VHA's comprehensive CRADA policies did not apply. ASD had created no equivalent policies of its own.
When ASD was dissolved in February 2018 through an OIT reorganization, its authority to execute CRADAs was not transferred to any other office — it simply ceased to exist. But the culture that produced the Flow Health agreement did not dissolve with it.
Source: VA OIG Report #17-01980-201, p. 2
5. What Happened to the People Responsible
The OIG referred the matter to the U.S. Department of Justice. DOJ declined to prosecute.
The OIG made two recommendations: that the relevant VA leadership determine whether administrative action should be taken against the OIT program manager and the VHA employee. VA concurred with both recommendations. The OIT response stated that "administrative action is warranted based on the facts contained in the report."
However, as of the report's publication date of January 28, 2021 — more than four years after the incident:
- The OIT program manager had been reassigned in 2017 to the OIT Account Management Office and as of January 6, 2021, continued to work there.
- The VHA employee had continued as VHA's deputy chief health technology officer throughout the entire investigation period — the same position he held when he originated the Flow Health deal in March 2016 — and as of January 6, 2021, still held that position.
"The OIG was unable to determine why the OIT program manager and the VHA employee engaged in this conduct." — VA OIG Report #17-01980-201, p. ii (footnote 6, repeated in the body of the report)
That sentence appears twice in the report. The OIG subpoenaed bank records, reviewed personal emails and text messages, obtained phone records, and conducted sworn interviews. After all of that, they still could not determine the motive. No financial relationship with Flow Health was found. The report does not speculate further.
6. The Connection to the 2015 Foreign Access Investigation
This report does not exist in isolation. It is the second in a series of VA OIG investigations documenting failures of the same VA IT structure to protect veteran data.
The 2015 OIG report (Report #13-01730-159) found that VA contractor employees — working through the same OIT Austin Information Technology Center — accessed VA systems from China and India using personally-owned, unencrypted laptops. One contractor had administrator-level access to every UNIX and Linux server at the Austin IT center, including the Veterans Benefit Administration Data Warehouse, the Health Data Repository, and My HealtheVet. He left his laptop in China. The OIG wrote that there was no way to determine what was on it or whether it was still being used to access VA networks.
The systems that contractor accessed from Shanghai in 2013 are the same systems whose data was nearly handed to Flow Health in 2016. The same OIT structure. The same pattern of indifference when experts raised alarms. The same outcome: referral to DOJ, declination to prosecute, employees remaining employed.
2013–2015: H-1B sub-vendor contractors access VA systems — including veteran health, financial, and benefits records — from China and India on unencrypted personal equipment. Security staff find no written policy prohibiting it. OIG refers to DOJ. DOJ declines. No one prosecuted.
2016–2021: Two VA employees nearly transfer all veteran health records, including genomic data, to a private AI company. Privacy experts' objections are hidden from the approving official. OIG refers to DOJ. DOJ declines. No one prosecuted. Both employees remain at VA for years.
2025–2026: The same vendor ecosystem from the 2015 investigation is still placing H-1B workers at the same Austin IT facility. One vendor explicitly lists the work as "remotely working for" the VA — the same remote access arrangement that the 2015 OIG found led to unauthorized international access. See our H-1B investigation →
7. Assessment
8. Source
This report is based entirely on VA Office of Inspector General Administrative Investigation Report #17-01980-201, published January 28, 2021, titled False Statements and Concealment of Material Information by VA Information Technology Staff. It is a public document available at va.gov/oig.
All quoted material is drawn directly from the OIG report. All factual claims are sourced to specific pages and footnotes of that report. This summary presents the OIG's own findings and does not make independent allegations beyond what the OIG documented.
The employees involved are identified only as "OIT program manager" and "VHA employee" — the same anonymization used in the OIG report itself.
📁 VA Data Security — Three-Part Investigation Series
13 staffing firms, 15 worker positions, vendors from the 2015 OIG investigation still active in 2025–2026. Source: DOL/OFLC ETA-9035 + VA OIG Report #13-01730-159.
You are here. Source: VA OIG Report #17-01980-201 (January 2021).
A connecting summary tying all three investigations into a single decade-long narrative.
♥ Help Support This Research
This investigation is produced independently — one person, 23 years of data work, living on $1,419/month Social Security. Veterans deserve accountability in the systems built to serve them. If this work matters to you, a small donation makes a real difference.
♥ Donate via Square More Reports