5 petitions

Started 2 months ago

Petition to President of the United States, U.S. House of Representatives, U.S. Senate, Department of Justice, Donald Trump, United States Department of Health and Human Services, Department of Veterans Affairs

Fix The Cyber Security Defect in the Veterans Benefits Management System

Dear Veteran, Do you know who is watching you? Anyone who has access to the VA's computer system. Thousands of people can access your information, including contractors, Veterans Service Organizations and more. With a few strokes of the keyboard someone can view decades of information about you (depending on your age), including all of your military records, from anywhere in the country, including from someone's living room. No person, not even a government official should have that much access to so much information about a person's past and present life history, especially VA bureaucrats who are known to be unscrupulous. No manager or former manager or co-worker should have access to so much information about their current or former employees or co-workers. Except at the VA thousands of people can access the private information of basically anyone they choose, because the VA allegedly forgot to build in security measures that would prevent people from unauthorized access. As if that weren't bad enough the VA is not enforcing existing privacy laws. We have other petitions we need people to sign as we break down this enormous elephant in the room that everyone is pretending to not see. It appears the VA bureaucrats either do not want to spend the money to fix this problem or they simply do not want to fix the problem, or both. Anyway you look at it, veterans are being harmed by this major VA defect in it's computer system.  Consider this: 1) The Department of Veterans Affairs (VA) has a history of veteran medical record and sensitive personal information privacy violations; and  2) The Office of Inspector General (OIG) released a report April 2016, in which the VBA had not integrated proper audit logs in VBA’s new system called Veterans Benefits Management System (VBMS); and  3) VA failed to establish satisfactory system requirements in VBMS that would ensure that accurate audit logs were created; and  4) Veteran medical records and sensitive personal information data sit at the root of all privacy and security user training and access controls not being properly implemented nor adequately monitored.  A clear violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its’ enforcement; and  5)  OIG discovered VBA cannot detect if an employee without proper access authorization has improperly accessed a veteran’s file, because VBMS is not compliant with audit log procedures per required Federal Information Processing regulations; and  6) OIG reported that the security vulnerability is due in part because the Office of Business Process Integration did not create system requirements in VBMS to assure audit logs could accurately pinpoint security violations; and  7) The VA is required by several regulations (e.g., Federal Information Processing Standards Publication) to develop, sustain, and retain audit records to supervise, analyze, and report on inappropriate access of information systems; and  8) VA’s own VA Handbook states that information systems are required to create detailed audit logs that can help recreate a data security incident and/or breach as well as restrict certain VBMS user’s system wide, to include Tele-Work without the proper authorization access level from accessing certain claim files; and  9) VA must establish a level of visibility that will provide VBMS system security monitors the ability to detect unusual behavior and the necessary tools to quickly identify and respond to any unauthorized user access, thus ensuring system integrity and user access authorization level is compliant with all regulations and procedures;   Veterans need your help with seeking legislation to change applicable regulations that will ensure VA programs containing Veterans’ Electronic Medical Records and Sensitive Personal Information restrictions are in place with appropriate security system monitors to deter any unauthorized users from accessing veterans’ information, have functional and accurate audit logs that can pinpoint security violations, as well as, compliant with existing laws and regulations minimizing any ambiguity and ensures adherence and accountability.

Jamie Fox
20 supporters
Update posted 6 months ago

Petition to Phil Roe, U.S. House of Representatives, U.S. Senate, President of the United States, Bernie Sanders, Johnny Isakson, Jon Tester, Jerry Moran, Patty Murray, John Boozman, Sherrod Brown, Dean Heller, Richard Blumenthal, Mike Rounds, Bill Cassidy, Thom Tillis, Mazie Hirono, Tim Walz, Gus Bilirakis, Marco Rubio, Mark Takano, Joe Manchin, Dan Sullivan, Mike Coffman, Brad Wenstrup, Mike Bost, Bruce Poliquin, Neal Dunn, Jodey Arrington, John Rutherford, Clay Higgins, Jack Bergman, Jim Banks, Julia Brownley, Ann Kuster, Beto O'Rourke, Elizabeth Esty, Scott Peters, Gregorio Sablan, Lou Correa, Jenniffer Gonzalez-Colon, Aumua Radewagen, Doug LaMalfa, Jared Huffman, John Garamendi, Tom McClintock, Kamala Harris, Dianne Feinstein, Doris Matsui, Paul Cook, Jerry McNerney, Jeff Denham, Mark DeSaulnier, Nancy Pelosi, Barbara Lee, Jackie Speier, Eric Swalwell, Jim Costa, Ro Khanna, Anna Eshoo, Zoe Lofgren, Jimmy Panetta, David Valadao, Devin Nunes, Kevin McCarthy, Salud Carbajal, Steve Knight, Judy Chu, Adam Schiff, Tony Cardenas, Brad Sherman, Peter Aguilar, Grace Napolitano, Ted Lieu, Jimmy Gomez, Norma Torres, Raul Ruiz, Karen Bass, Linda Sanchez, Ed Royce, Lucille Roybal-Allard, Ken Calvert, Maxine Waters, Nanette Barragan, Mimi Walters, Alan Lowenthal, Dana Rohrabacher, Darrell Issa, Duncan Hunter, Juan Vargas, Susan Davis, Mike Pence, Orrin Hatch, Mitch McConnell, John Cornyn, John Thune, John Barrasso, Roy Blunt, Cory Gardner, Mike Lee, Mike Crapo, Charles Schumer, Dick Durbin, Debbie Stabenow, Mark Warner, Elizabeth Warren, Amy Klobuchar, Tammy Baldwin, Chris Van Hollen, Jeff Merkley, Lisa Murkowski, John McCain, Jeff Flake, Tom Cotton, Michael Bennet, Chris Murphy, Tom Carper, Christopher Coons, David Perdue, Brian Schatz, James Risch, Tammy Duckworth, Joe Donnelly, Todd Young, Chuck Grassley, Joni Ernst, Pat Roberts, Rand Paul, John Kennedy, Susan Collins, Angus King, Ben Cardin, Edward Markey, Gary Peters, Thad Cochran, Roger Wicker, Claire McCaskill, Steve Daines, Deb Fischer, Benjamin Sasse, Catherine Cortez Masto, Jeanne Shaheen, Maggie Hassan, Robert Menendez, Cory Booker, Tom Udall, Martin Heinrich, Kirsten Gillibrand, Richard Burr, John Hoeven, Heidi Heitkamp, Rob Portman, James Inhofe, James Lankford, Ron Wyden, Robert Casey, Pat Toomey, Jack Reed, Sheldon Whitehouse, Lindsey Graham, Tim Scott, Lamar Alexander, Bob Corker, Ted Cruz, Patrick Leahy, Tim Kaine, Maria Cantwell, Anthony Brown, Scott Perry, Tulsi Gabbard, Ralph Abraham, Mark Amodei, Brian Babin, Don Bacon, John Bergman, Sanford Bishop, Jim Bridenstine, Vern Buchanan, Larry Bucshon, G.K. Butterfield, Doug Collins, Mike Conaway, John Conyers, Rick Crawford, Warren Davidson, Pete DeFazio, Ron DeSantis, John Duncan, Mike Enzi, Rodney Frelinghuysen, Michael Gallagher, Barry Loudermilk, Roger Marshall, Brian Mast, Martha McSally, Seth Moulton, Tim Murphy, Bill Nelson, Pete Olson, Steven Palazzo, Bill Pascrell, Steve Pearce, Collin Peterson, Ted Poe, Dave Reichert, Hal Rogers, Tom Rooney, Bobby Rush, Bobby Scott, Jose Serrano, John Shimkus, Chris Stewart, Steve Stivers, Scott Taylor, Joe Wilson, Steve Womack, Don Young, Lee Zeldin

Protect Jamie's Private Medical Info From Her Former VA Employers & Make Them Accountable

Statement of Ms. Jamie FoxBefore the House Committee on Veterans’ AffairsJanuary 30, 2018 Chairman Roe and Ranking Member Walz; Thank you for this opportunity today to speak out on behalf of veterans who are also VA employees. I am submitting this statement for the record in cooperation with Whistleblowers of America (WoA) because my situation is not unique. WoA has had several other veteran/VA employees make this same claim about having their private information weaponized. We are joining forces today in hope that this hearing will give voice to those of us who have had our privacy invaded after blowing the whistle on VA and to ask Congress, that as you consider legislative reform for the Veterans Benefits Administration (VBA), that you might also consider the need to further protect Claim or C-files and to allow veterans/employees to know who has accessed their personal information. Let me begin by saying that I come from a long line of family members who have served in the military as far back as the Revolutionary War and who are currently serving in the military. I also served honorably for five years in the U.S. Navy. When I volunteered to serve in the military and civil service I did not volunteer to be subjugated to the unethical and illegal abuse of public office power. Since coming forward in 2008, as a witness for a former co-worker who was being harassed – in order to help her stop the harassment – I have been continuously harassed, punished, and retaliated against by the same people who protected the perpetrator. When I came forward that day in 2008, I thought there were laws that protected me. I utterly had no idea that such a simple gesture, like caring for the dignity of another human-being, would have such severe and far reaching negative consequences. What is and has been happening to me is unethical and illegal. Not only is it a breach of privacy, but it is also a breach of trust. It is a disgrace when the very people who defend the rights of the American people do not have those same rights at the VA, particularly the right to have our private information protected from the people who we do not want to access our private information. Many veterans wrongly believe their private information, which includes Personally Identifiable Information (PII) and Sensitive Personal Information (SPI) is protected by privacy laws, but at the VA this belief couldn’t be further from the truth. Veterans’ PII and SPI have more protection in the civilian sector because there are very real and serious consequences for privacy violations, but there appears to be very little recourse for veterans whose privacy is violated by government officials at the VA. According to Deven McGraw, Director of the Washington-based Health Privacy Project of the nonprofit center for Democracy and Technology, the VA remains one of the top Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy offenders. In April 2015, the Office of Special Counsel Director, Carolyn Lerner, testified in Congress that the prevalence of privacy violations at the VA has become an epidemic. VA Office of Inspector General (OIG) released a report April 2016, in which the VBA had not integrated proper audit logs in their new veterans’ claims processing computer system, called Veterans Benefits Management System (VBMS). In fact, VBA failed to establish satisfactory system requirements in VBMS that would ensure that accurate audit logs were created. Without accurate audit logs, Information Security Officers cannot effectively identify, report, and react to data security issues in VBMS. OIG discovered VBA cannot detect if an employee improperly accessed a claim and that VBMS was not compliant with audit log procedures and regulations. Further OIG reported that the security vulnerability occurred because the Office of Business Process Integration did not create system requirements in VBMS to assure audit logs could accurately pinpoint security violations. It assumed that the audit log functionality was already built into VBMS as it was for the legacy claims processing systems. The VBA is required by several regulations (e.g., Federal Information Processing Standards Publication) to develop, sustain, and retain audit records to supervise, analyze, and report on inappropriate access of information systems. The VBA must also develop the capability to monitor the actions of individual users. VBA’s own VA Handbook states that information systems are required to create detailed audit logs that can help recreate a data security incident. As a veteran using the VA system, I recently discovered that I have absolutely no control over my private and protected information, and that VA managers have carte blanche to everything with impunity! Anyone who has access to VBMS with a few strokes of the keyboard can view over 30 years of information about me, from anywhere in the country, including from someone’s living room. No person, not even a government official, should have that much access to so much information about a person’s past and present life history, especially VA employees who are known to be unscrupulous. No manager or former manager or co-worker should have access to so much information about their employees or co-workers, especially the people who were responsible for forcing my resignation and who I testified against for protecting the man who I witnessed harassing a co-worker. What I say to my doctor is no one else’s business unless they absolutely have to view the information and were authorized to view the information. It is my right to see who has accessed my private information and it is my right to restrict who sees my information. It is incomprehensible to think the VBA failed to build in safeguards in its highly touted computer program, which was allegedly designed to make processing veterans’ claims more efficient, but cannot restrict certain VBMS users from accessing specific claim files, except through an antiquated security system that was designed to control paper files. This antiquated security system allowed and continues to allow people, like my former managers and co-workers, access to my protected information. It also allows managers and employees to snoop on current VA veteran employees and co-workers. It’s easier to conceptualize the outdated security control system as a pyramid, scaled 1 to 9, where 9 has the most restriction. The higher the sensitivity level, the fewer people who can view the C-file. The higher the sensitivity level the fewer people there are to help a veteran with their C-file. C-files that are classified at sensitivity level 8 and above cannot receive help from the public contact line and Veterans Service Organizations, even with simple tasks, like changing an address. The only way someone would not be able to view a C-file is if they did not have access to a particular sensitivity level. For example, if you are authorized to view sensitivity level 7 C-files then you could view C-files classified at sensitivity level 7 and below. Obviously, anyone who does not have a sensitivity level 7 clearance would not be able to view C-files classified at sensitivity level 7 and above. Managers can also authorize other managers or employees, depending on the sensitivity level, to work on a C-file classified at a higher sensitivity level for a limited time. So, as you can see, it really does not matter what sensitivity level a veteran’s C-file is classified at, if VA managers can work around existing security features. VA leadership is misrepresenting the capabilities of the Restricted Access Claim Center (RACC) at the St. Paul, Minnesota Regional Office (and other RACC locations) regarding the restrictions related to managers and co-workers from accessing a current or former employee’s veteran C-file. I was told once my C-file obtained RACC protection that the Oakland VA Regional Office would no longer have access to my C-file. I disproved this claim when I scheduled an appointment to review my digital C-file at the Oakland VA Regional Office. I witness with my own eyes how Oakland managers can still access my private information. It appears the RACC only restricts people from making changes to a C-file. I was also told by several VBA employees that if a co-worker or a manager accesses a veteran employee’s C-file, an alarm gets set off - that some employees have referred to as a “ping” - at the VA’s Office of Information and Technology (OIT). However, I have spoken with several people from OIT and was informed there was no such “alarm” or notification when someone who does not have authorization accesses a C-file. I have been trying for several months to obtain a list of every person who has ever accessed, viewed, and/or queried any part of my C-file. It is every veteran’s right to know who has been viewing their private information. The VA promised me I would receive an unredacted audit. However, the list the VA sent me was incomplete. There were many missing names and dates. VBA claimed that those were all the people and dates that they could find. However, I have evidence proving otherwise. When I informed the VA, in October 2017, of the missing names and dates, I was told the VA would look further into it. I have not received anything to date from this October request. When I recently requested a status update on the audit of my C-file, I was told that VA FOIA requests were backlogged. I originally informed VA leadership in Washington DC of the privacy violation in early July 2017, as well as, requested an audit of my C-file at that time. The person who is currently scrubbing the audit list of my C-file is the Director of the RACC, Ms. Kim Graves who totally disregarded my letter asking for RACC protection and assigned my C-file to the Oakland VARO, against my permission. When I asked OIT why they could not directly mail me the audit, I was informed that OIT “had” to send audits to the director of the regional office that has jurisdiction over my C-file. This absolutely makes no sense at all. Having the VA patrol itself is like having a fox guard the hen house. As you already know, Kim Graves has demonstrated her lack of integrity, so it is difficult to have confidence in her abilities. She and Diana Reubens are also tight with some of the Oakland VA regional office managers who are using the VA system to retaliate. VA leadership has been informed that my former managers and co-workers at the Oakland VA Regional Office retaliated against me by trying to use my C-file against me. Yet nothing has been done about it, no one has been held accountable, no one has been prevented from accessing my C-file and hardly anyone returns my communication. I am having difficulty obtaining help from both VA employees, or the Veterans Service Organizations, not because they do not want to help me, but because, as they all put it, and quite frankly I have lost count on the number of people who have told me this, they are all afraid to help me for fear that they will be targeted like me; they are afraid of being “blacklisted” or “blackballed”, they fear they will lose their job and/or VA benefits. What does it say about our country when veterans are afraid to speak out against unethical and illegal practices at the VA for fear of retaliation? I have a lot of support in the shadows, but no one has been willing to step out into the light and be my champion, because it is seen as a fruitless mission; instead of creating meaningful change, the mission would be more like falling on one’s sword. I am grateful to have found Whistleblowers of America because they understand whistleblower retaliation and are willing to give me a voice today. We ask that Congress act on behalf of veterans so that they can obtain an accurate audit of a his/her C-file and to protect veterans’ privacy. The solution to update VBA’s security control system for digital C-files is to have Congress legislate new laws that can make VBA do so. The VA cannot be trusted to fix this security problem, because VA directives, memorandums, and protocols can be changed by the VA at any time, as well as, their interpretation and adherence to their own made up rules. A well written law minimizes ambiguity and ensures adherence and accountability. I started a petition on, called “Protect Jamie’s Private Medical Info from Her Former VA employers and Make Them Accountable,” so I could get the attention of our legislatures. (I am represented by Representative Mike Thompson and Senator Kamala Harris who are aware of my situation.) I was told I would gain the ear of Congress if I could obtain at least 100,000 signatures. Although this petition has my name on it, protecting veterans’ privacy is not just for me, but for every veteran. Every veteran has a right to know, in a timely manner, who has been viewing their private information and why. There must be an enforceable law to deter people from accessing a veteran’s C-file without first having authorization or permission by the veteran. Congress can pass a law that make each veteran a watchdog over their own C-file by releasing unredacted audits of their C-file immediately upon request and whenever requested. Audit logs could be readily accessed at any time via the eBenefits portal, which would show the veteran via live coverage, who is and has been viewing their protected information. Congress should pass a law that require the reporting of privacy violations to be made easy and efficient, as well as, hold VA managers and employees accountable for privacy violations. Congress should pass a law that make sure VBMS and any other VA computer system has functional and accurate audit logs that can accurately pinpoint security violations. Thank you for your time and consideration. Whistleblowers of America (WoA) is a 501C3, EIN 82-3989539. Its mission is to provide peer support to employees and veterans who have reported wrongdoing and experienced retaliation.  #USTOO Jamie Fox is a whistleblower from Oakland, CA who reported harassment of a co-worker and suffered retaliation while working in the Oakland Regional Office. She is currently employed at another VA facility. This statement is made on her own time and not representative of the VA.  #protectveteransprivacy To learn more please visit  

Jamie Fox
364 supporters
Started 8 months ago

Petition to New York State Legislature

Pass the SHIELD Act to stop identity theft

This fall, more than 140 million Americans, including more than 8 million New Yorkers, had their personal data exposed in the massive hack of Equifax. This was the biggest known breach of Social Security numbers in history. To make matters worse, it was entirely preventable. But there’s good news: the NY State legislature can pass my legislation—the SHIELD Act—to prevent hacks like these from ever happening again. New York’s data security laws are toothless and outdated. While cybercrime has evolved, our laws have stayed the same.  If we had stronger standards in place before the Equifax hack to fix these loopholes, the breach may have been avoided. We can’t afford to wait for Congress to act. It’s up to us here in New York. That’s why I’m asking advocates, businesses, and New Yorkers like you to join me in calling on New York’s legislators to pass the SHIELD (Stop Hacks and Improve Electronic Data Security) Act to make our state a national leader in data security. Under this bill, companies would be required to: Maintain reasonable safeguards for our data: the more sophisticated the company, the more robust the safeguards.  Report breaches that expose our usernames and passwords, biometric data, or private health data—not just those breaches that expose social security numbers or other financial data. Data breaches are more frequent than ever. They're jeopardizing our privacy and our financial information. Stopping them is in everyone’s interest. Passing the SHIELD Act will enable my office to hold companies accountable, and make sure New York law finally applies common sense standards to businesses of all different sizes.   Join me by signing this petition and calling on New York’s legislators to protect your data now—before the next big hack puts us all at risk of identity theft again.

New York Attorney General Eric Schneiderman
9,576 supporters
Update posted 8 months ago

Petition to Paulino do Rego Barros Jr., James M. Peck, Brian Cassin

Free From All 3: Make Credit Freezes Free to all Americans

Regardless of where or when a data breach occurs, it leaves people feeling powerless and helpless; confused and angry.  The ITRC has been tracking data breaches for more than a decade and we hear from the victims of these breaches on a near-daily basis. Breaches of really sensitive personal information like Social Security numbers are nothing new, but the sheer size of the Equifax data breach is unprecedented and alarming. Lately, we have been seeing data breaches grow larger and more dangerous at a frightening pace. Unless we, as a society, make this a national priority, we predict the Equifax breach will be eclipsed by yet another larger, more destructive data breach in a very short period of time. We need ALL stakeholders – consumers, industry, and government – to engage in a solution.  Right now the industry has the opportunity to step up and help Americans protect themselves from the loss and theft of personal information. Currently, victims of identity theft may be able to have the fees for credit freezes waived. But what about other consumers who want to proactively protect their identity, especially in cases where they have become victims of data breaches? Everyone should be able to take the proactive step of a credit freeze, no matter their level of income. We believe credit freezes should be free. Not just from Equifax, and not just for 30 days. We are asking for all credit reporting agencies to provide all Americans with the ability to enact an initial freeze of their credit report at any time and one free thaw and refreeze per year. We realize that free credit freezes won’t solve the identity theft problem once and for all.  That will require more work, in many other areas.  However, it is one way that we can reduce the rate of identity theft in America and that’s definitely a step in the right direction. We all need to continue working towards a better balance between convenience and security. The ITRC will continue to push for this conversation to be at the forefront of public debate. However, right now we are bleeding.  We need a tourniquet and that tourniquet comes in the form of free credit freezes. Will you join us in our efforts to help protect Americans from identity theft? Sign the petition to tell the three major credit reporting agencies that you want a free initial credit freeze and one thaw and re-freeze per year for all Americans. Share this petition and tag #FreeFromAll3

Eva Velasquez
155,986 supporters