A computer update in 2013 may have led to the exposure of 133 patients’ personal data at the VA Medical Center in Long Beach, according to a report released Wednesday by the Veteran’s Affairs Office of Inspector General.

When the VA’s computer systems were updated from Windows XP to Windows 7 in 2013, a diagnostic device for the esophagus was no longer able to connect to the VA’s system, the report said. Staff in a laboratory used a workaround that included using personal emails, a laptop, a non-encrypted flash drive, text messages and cloud storage, all of which did not comply with the hospital’s privacy policies.

“The OIG concluded that patient sensitive personal information was at risk for disclosure to outside sources,” the report said.

The initial workaround included downloading a report from the diagnostic machine onto a non-encrypted flash drive, then plugging it into a VA computer, downloading and saving it to the computer, then uploading it to the patient’s electronic medical record. When the VA disabled the use of non-VA flash drives, a gastroenterologist came up with a secondary workaround—without guidance from the information system security officer—that involved a personal computer and email account to transfer the reports, the OIG said.

The VA didn’t ever notify the 133 patients of the possible exposure because “no evidence was provided that the sensitive personal information had been lost or disclosed to unauthorized persons,” the report said.

The inspector also found that facility staff used logbooks, which are prohibited, to track patient information and testing equipment.

The inspection came after the OIG heard allegations about time-card fraud kickbacks, conflicts of interest, and misuse of government funds by medical staff at the facility in May 2017, but the OIG was never able to substantiate the allegations during its investigation. Instead, it found a different issue with the VA’s information security policy, the report said.

The OIG made a number of recommendations to the VA’s director, mostly that the hospital review its privacy policies and ensures all staff abide by them. It also recommended that the director consider offering credit monitoring services to the affected patients.

Walt Dannenberg, the director of the medical center, noted in the comments of the report that he agreed with all of the recommendations.

Dannenberg stated that after requesting credit monitoring for the affected patients, he was told by the National Data Breach Response Service that “this incident did not meet the criteria of a privacy breach, and the request to provide credit monitoring was denied.”