WASHINGTON — Investigators have uncovered no evidence of Veterans Affairs Secretary David Shulkin’s claims that email hacking may have contributed to a series of ethics violations during an overseas trip last year.
In a letter to lawmakers on Tuesday, VA Inspector General Mike Missal said his staff found “no evidence” that serious computer security violations were compromised and no indication that more minor email issues played a part in the mistakes last summer.
“The OIG now believes that the allegations of ‘hacking’ are limited to unrelated and relatively unsophisticated ‘spoofing’ of (former VA Chief of Staff Vivieca) Wright Simpson’s identity through messages sent from an external, non-VA email address,” the note states.
The findings appear to close one part of an ongoing, complicated scandal at the Department of Veterans Affairs stemming from a 10-day trip to Denmark and London last July.
Earlier this month, Missal’s office released a scathing inspector general report listing multiple ethics and policy violations for the overseas trip, including Shulkin’s decision to accept free tickets to a Wimbledon match from an English businesswoman and staff decision to pay for Shulkin’s wife to accompany him to a series of business and tourism events.
David Shulkin moved to quell rumors of a power struggle at VA during a Tuesday appearance: "I’m the secretary. I set the agenda."
The justification for her inclusion on the trip came in large part because of a doctored email forwarded by Wright Simpson, making it appear that Shulkin was being honored at a state dinner instead of merely an official guest.
Wright Simpson retired two days after the report’s release. Shulkin said at the time he believed her emails had been hacked in the past, which may have played a role in confusion over the purpose of the trip.
But in recent days he has backed off that stance. Speaking with reporters on Tuesday, Shulkin said he no longer believes there was any serious compromise of VA technology systems, and that problems with the email were unrelated to the trip.
The hacking claims raised concerns from outside critics and members of Congress. At a hearing on Feb. 15, House Veterans’ Affairs Committee ranking member Rep. Tim Walz, D-Minn., requested the inspector general and Department of Justice be alerted to the issue, because it may have meant federal crimes were committed.
On Wednesday, Walz issued a statement stating that “allegations of potential criminal activity carried out on VA computers and networks ought to be taken seriously” and praising the IG’s quick investigation.
“Accountability at VA will always be paramount and I expect VA will take additional actions if appropriate after VA completes its review of the OIG’s report,” he said.
That report notes that even VA leadership seemed skeptical of Shulkin’s hacking claims, releasing an official statement on Feb. 16 stating that “thus far found no credible or conclusive evidence of a compromise to our email system or a user’s account.”
When confronted by investigators, the letter states, Shulkin “informed us that, in speaking with reporters about Ms. Wright Simpson’s allegations, he did not mean to imply that her VA email had been ‘hacked.’”
The only email problems uncovered by the new IG investigation were a suspicious email sent from an outside account on Feb. 14, seven months after the overseas trip.
Shulkin has already paid back the cost of his wife’s airfare and the tennis tournament tickets, and promised to implement other ethics reforms in the months to come.
But he voiced disagreement with the travel report’s findings and has suggested that some mistakes made in handling the controversy were inflamed by internal tensions at the department. Shulkin has promised to root out “subversives” within VA, but thus far Wright Simpson’s departure has been the only significant leadership change.
Missal’s letter states that investigators will continue to monitor “all credible allegations of email and computer hacking or other violations at VA” but thus far have seen little reason for concern.
“VA IT staff appear to be keeping VA employees informed and advised of actions they should take in response to such (security concerns),” the letter states.