Tim Walz and JD Vance’s medical records viewed illicitly by veterans department staff

A criminal investigation is underway after staff at the US Department of Veterans Affairs illicitly accessed the medical records of Tim Walz and JD Vance, the Democratic and Republican vice-presidential nominees.

At least a dozen employees – including one doctor and one contractor – at the department’s healthcare body, the Veterans Health Administration, are believed to have improperly viewed the files, according to the department’s investigators.

Evidence has been passed to federal prosecutors by the office of the Veterans Affairs (VA) inspector, Michael Missal. The physician and contractor are believed to have looked at the documents for an extended period, law enforcement officials told the Washington Post, prompting concerns about their motives.

Other employees who saw the files are understood to have told investigators that they were curious about the background of two politicians who have been under public scrutiny since being elevated on to their parties’ residential tickets.

Both Walz and Vance – who are due to meet in New York on Tuesday for a vice-presidential debate hosted by CBS – are military service veterans.

Walz, the Democratic governor of Minnesota, served 24 years in the National Guard before leaving in 2005 to run for Congress. Vance, a GOP senator for Ohio, was in the US Marine Corps and served in Iraq.

He has previously said he received VA medical care for a period after leaving the marines. It is not known if Walz used VA services.

It is unclear how the breach was discovered but it appears to have taken place in the few weeks after both men were selected for their respective parties’ running mate slots. Both campaigns have declined to comment.

After the violation came to light, Denis McDonough, the VA secretary, wrote to the department’s 450,000 employees reminding them of the strict rules on veterans’ privacy.

“Viewing a veteran’s records out of curiosity or concern – or for any purpose that is not directly related to officially authorised and assigned duties – is strictly prohibited,” he wrote in an email sent on 30 August.

Looking at another person’s health information without proper authorisation contravenes the 1996 Health Insurance Portability and Accountability Act and can be punishable by a maximum $50,000 fine or up to a year in prison. While breaches in the healthcare industry are increasingly common due to cyber attacks, prosecutions in individual cases are rare.

VA officials have said that administrative sanctions could be imposed on individuals deemed culpable of violating Walz’s and Vance’s files, even in the absence of prosecutions.

“We take the privacy of the veterans we serve very seriously and have strict policies in place to protect their records,” Terrence Hayes, the VA press secretary, told the Washington Post. “Any attempt to improperly access veteran records by VA personnel is unacceptable and will not be tolerated.”