The online privacy of veterans and Veterans Affairs employees—including their health-care and financial information—is at risk, according to an internal draft of a VA report obtained by CNBC.
A data breach to financial, medical and personal information is "practically unavoidable" and is likely to happen within 12 to 18 months, according to the draft report prepared in July by the VA's Office of Information & Technology Risk Management Team. The office is responsible for securing the online data of roughly 20 million American veterans, dependents and VA employees.
"The VA cannot ensure the safety and privacy of Veteran and employee healthcare, benefits, and financial information," according to the July 2, 2013, report. "The VA is non-compliant with its own privacy and security policies and with Federal laws and regulations."
VA spokeswoman Victoria Dillon told CNBC in an email, "The internal VA document referenced was an internal draft document with significant inaccuracies that was subsequently rescinded and corrected. The final document no longer contains the quoted inaccurate language."
When asked which specific portions of the report were inaccurate, Dillon failed to respond. Follow-up questions through additional emails and phone calls for an updated report were not returned.
In a May letter obtained by CNBC, Secretary of Veterans Affairs Eric Shinseki vouched for the VA's information technology systems. "To be clear, VA's security posture was never at risk," Shinseki said in the letter to Rep. Mike Coffman, chairman of the House Veterans Affairs Subcommittee for Oversight and Investigations.
(Read more: VA use of implants target of probe, report says)