Protect Veterans from the THIEF Act
- Bill Number
- H.R. 7241
- Origin Chamber
- House
- Congress
- 119th Congress, Session 2
- Policy Area
- Armed Forces and National Security
- Status
- Introduced
- Latest Action
- 2026-02-12: Referred to the Subcommittee on Oversight and Investigations.
- Last Updated
- 2026-02-25T20:11:23Z
AI-Generated Summary
Purpose
The legislation aims to safeguard veterans' sensitive personal information held by the Department of Veterans Affairs (VA) by preventing its sale, monetization, or misuse through VA contracts with external entities. It builds on existing privacy protections to ensure contractors cannot profit from or improperly disclose veterans' health and identifying data.
Key Provisions
- Prohibition on Selling Sensitive Information: Amends Section 5725 of Title 38, United States Code, to add a new subsection (d) that bars the VA Secretary from entering any contract allowing a contractor to sell or disclose for payment (e.g., "for consideration") sensitive personal information maintained by the VA.
- Contract Protections and Guidance:
- Within one year of enactment, the VA Secretary must update or include in all "covered contracts" (those handling protected information, whether new or existing and unexpired) a clause prohibiting contractors, subcontractors, affiliates, or other non-VA entities from monetizing, selling, or misusing "covered information."
- The Secretary must issue a directive or policy guiding VA employees and contractors on detecting and preventing such misuse to ensure compliance.
- Reporting Requirement: Within one year of enactment, the VA Secretary must submit a report to the House and Senate Committees on Veterans' Affairs, including:
- A copy of the required contract clause.
- The compliance guidance.
- A summary of other steps taken to implement these protections.
- Definitions:
- Covered information: Includes protected health information (details about medical conditions or treatments) or personally identifiable information (data that can identify an individual, even if anonymized). This encompasses information protected by laws like the Privacy Act (5 U.S.C. § 552a), VA confidentiality rules (38 U.S.C. §§ 5701, 7332), HIPAA regulations (45 C.F.R. Parts 160, 161, 164), or other relevant laws as determined by the VA.
- Covered contract: Any VA contract involving the handling of covered information, entered before or after enactment (if it hasn't expired by enactment).
Significant Changes to Existing Law
- Adds a specific prohibition (new subsection (d)) to Section 5725 of Title 38, U.S. Code, which previously focused on notifying individuals of data breaches but did not explicitly address sales or disclosures in contracts.
- Expands contract oversight by mandating proactive clauses and guidance in existing and future agreements, integrating protections from multiple privacy laws (e.g., Privacy Act, HIPAA) into VA contracting practices. This shifts from reactive breach notifications to preventive measures against commercial exploitation.
Potential Impacts
- On Government Agencies: The VA will face administrative burdens to review and modify contracts, develop guidance, and report to Congress within one year, potentially increasing compliance costs but strengthening data security protocols.
- On Citizens: Veterans benefit from enhanced privacy, reducing risks of identity theft, fraud, or unauthorized health data sales, which could occur if contractors previously shared or sold data.
- On International Relations: No direct impacts, as the bill focuses on domestic VA operations and U.S.-based contractors; however, it may indirectly influence how U.S. veterans' data is handled in any international VA partnerships.
Main Stakeholders Affected
- Veterans and VA Beneficiaries: Primary beneficiaries, as their personal and health data is protected from commercial exploitation.
- Department of Veterans Affairs: Must implement changes, including contract updates and employee training, affecting operations and budgeting.
- Contractors and Subcontractors: Businesses handling VA data (e.g., IT or health services providers) face restrictions on data use, potentially limiting revenue streams but requiring stricter compliance to maintain contracts.
- Congressional Committees on Veterans' Affairs: Gain oversight through the required report, enabling monitoring of VA implementation.
Notable Legal, Constitutional, or Political Implications
- Legal Implications: Reinforces existing federal privacy frameworks (e.g., HIPAA, Privacy Act) by embedding them into contract law, potentially leading to easier enforcement through contract breaches rather than solely relying on regulatory violations. It may set a precedent for similar protections in other federal agencies handling sensitive data.
- Constitutional Implications: Aligns with privacy expectations under the Fourth Amendment (protection against unreasonable searches) and due process, without raising concerns about overreach, as it targets voluntary contracts rather than individual rights directly.
- Political Implications: Demonstrates bipartisan focus on veteran welfare (introduced by Reps. Budzinski and Barrett), potentially boosting public trust in VA data management amid rising concerns over data breaches and commercialization. It could influence future legislation on federal data privacy, emphasizing prevention over reaction.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Rep. Budzinski, Nikki [D-IL-13]
Cosponsors (1)
Recent Actions
- 2026-02-12: Referred to the Subcommittee on Oversight and Investigations.
- 2026-01-27: Referred to the House Committee on Veterans' Affairs.
- 2026-01-27: Introduced in House
- 2026-01-27: Introduced in House
Bill Versions
- Protect Veterans from the Theft of Health and Identifying Information in Electronic Forms Act — issued 2026-01-27 — PDF (4 pages)