DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

VA monthly report for September reveals possible access control issue

Posted on October 14, 2010 by Dissent

The Department of Veterans Affairs has released its monthly report to Congress on data breaches.  For the period August 30 – October 3, the reported incidents included:

  • 33 incidents involving mis-mailed prescription medication packages by the Consolidated Mail Outpatient Pharmacy [out of 7,144,426 total packages (10,510,547 total prescriptions) and
  • 60 Mis-Handling incidents (these might involve revealing one patient’s PII and PHI to another patient)

While that may seem like a lot, given the enormity of the VA operation, it’s really a minuscule percentage of transactions.

In addition, there were other incidents detailed in the report.  Of the three incidents that I culled from the report to include here, below, only the last one really strikes me as a potentially significant privacy breach in terms of harm, although the second incident also certainly posed some risks.

Stolen Workstation

On September 13,  a user reported that  her PC workstation was missing and possibly stolen from her work area. The PC workstation was in an office that is not secured by a physical door and uses only a curtain for privacy.  Investigation revealed that the workstation contained Microsoft Excel spreadsheets with patient appointment data that included the last name and last 4 of SSN of 332 veterans.   The veterans were sent notification letters and the user underwent re-training on security protocols.

Exposure of Paper Records

On September 14, the Office of Corporate Compliance and Loma Linda University (LLU) Adventist Health Science Center sent a letter to the VA Quality Management Office to say that they were in possession of several patients’ records from the VA Medical Center. The records were found by a security officer on or about July 3oth.   The VA believes that the records were in the possession of a resident physician in the University Medical Program.

Apparently, the resident was in the process of moving his belongings. The box was left on the curb near the residence. The box of documents, compensation and pension exams, X-Ray and MRI films were taken to the compliance office and kept there until someone at the VA staff retrieved the box. The records contained names, home addresses, dates of birth, PHI and the social security numbers of 116 Veterans.

According to the VA, the doctor was a Fee Base Doctor and is no longer employed with VA, having terminated his employment in July.

After further investigation, it was determined that there were 106 records potentially compromised and 106 veterans were sent letters offering credit protection services.

Questioning Access to PHI

A veteran reportedly contacted the Albuquerque Vet  Center from his then-current location at Fort Benning, GA, where the veteran was scheduled to deploy on active duty to Afghanistan.  The veteran had been informed by a physician there that he was not eligible for deployment due primarily to the content of a progress note recorded earlier in the veteran’s treatment at the Albuquerque Vet Center.  That note included specific traumatic events as noted in the military history for the veteran  per the center’s intake protocol.  The veteran indicated that he never signed any release allowing the Department of Defense or the Department of the Army to access  his treatment records at the Readjustment Counseling Services of the VA,  nor had the readjustment counseling therapist received any request to disclose such information from any source. The veteran was reportedly extremely upset at this disclosure.

An incident update posted on October 6 says:

According to ISO, the Doctor stated they accessed the information via DOD AHLTA (Armed Forces Health Longitudinal Technology Application) system that connects to VA VistA system, but according ISO the DOD did not access the Vet Center’s system, this does not rule out other methods. Based on review of RCSnet no breach was identified and after review of accounts all accounts are appropriately assigned. RCS staff was able to obtain permission to access the DOD system and is in the process of scheduling a time to go to Ft. Benning to see exactly how the doctor saw the information and to determine if a HIPAA violation occurred or if there is a computer system issue between the VA VistA system and the VET Center’s system.

So it’s not clear yet how this happened, although it is clear that the VA is taking this seriously and investigating it.

This incident reminds us yet again that privacy breaches involving PHI (and especially mental health data) can have significant impact on one’s life — in this case, a soldier who expected to deploy was told that he could not deploy because of sensitive information in a file that he did not think would be disclosed.


Related:

  • Two more entities have folded after ransomware attacks
  • Data breach feared after cyberattack on AMEOS hospitals in Germany
  • Premier Health Partners issues a press release about a breach two years ago. Why was this needed now?
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • North Country Healthcare responds to Stormous's claims of a breach
  • Texas Enacts Electronic Health Record Data Localization Law
Category: Health Data

Post navigation

← CIO Fired After Others May Have Accessed Her EHR
The war on drugs makes flu sufferers felons →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Clorox Files $380M Suit Alleging Cognizant Gave Hackers Passwords in Catastrophic 2023 Cyberattack
  • Cyberattacks Paralyze Major Russian Restaurant Chains
  • France Travail: At least 340,000 job seekers victims of new hack
  • Legal Silence and Chilling Effects: Injunctions Against the Press in Cybersecurity
  • #StopRansomware: Interlock
  • Suspected XSS Forum Admin Arrested in Ukraine
  • PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada
  • Hungarian police arrest suspect in cyberattacks on independent media
  • Two more entities have folded after ransomware attacks
  • British institutions to be banned from paying ransoms to Russian hackers

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial
  • Wikipedia seeks to shield contributors from UK law targeting online anonymity
  • British government reportedlu set to back down on secret iCloud backdoor after US pressure
  • Idaho agrees not to prosecute doctors for out-of-state abortion referrals
  • As companies race to add AI, terms of service changes are going to freak a lot of people out. Think twice before granting consent!
  • Uganda orders Google to register as a data-controller within 30 days after landmark privacy ruling
  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.