The Department of Veterans Affairs has released its monthly report to Congress on data breaches. For the period August 30 – October 3, the reported incidents included:
- 33 incidents involving mis-mailed prescription medication packages by the Consolidated Mail Outpatient Pharmacy [out of 7,144,426 total packages (10,510,547 total prescriptions) and
- 60 Mis-Handling incidents (these might involve revealing one patient’s PII and PHI to another patient)
While that may seem like a lot, given the enormity of the VA operation, it’s really a minuscule percentage of transactions.
In addition, there were other incidents detailed in the report. Of the three incidents that I culled from the report to include here, below, only the last one really strikes me as a potentially significant privacy breach in terms of harm, although the second incident also certainly posed some risks.
Stolen Workstation
On September 13, a user reported that her PC workstation was missing and possibly stolen from her work area. The PC workstation was in an office that is not secured by a physical door and uses only a curtain for privacy. Investigation revealed that the workstation contained Microsoft Excel spreadsheets with patient appointment data that included the last name and last 4 of SSN of 332 veterans. The veterans were sent notification letters and the user underwent re-training on security protocols.
Exposure of Paper Records
On September 14, the Office of Corporate Compliance and Loma Linda University (LLU) Adventist Health Science Center sent a letter to the VA Quality Management Office to say that they were in possession of several patients’ records from the VA Medical Center. The records were found by a security officer on or about July 3oth. The VA believes that the records were in the possession of a resident physician in the University Medical Program.
Apparently, the resident was in the process of moving his belongings. The box was left on the curb near the residence. The box of documents, compensation and pension exams, X-Ray and MRI films were taken to the compliance office and kept there until someone at the VA staff retrieved the box. The records contained names, home addresses, dates of birth, PHI and the social security numbers of 116 Veterans.
According to the VA, the doctor was a Fee Base Doctor and is no longer employed with VA, having terminated his employment in July.
After further investigation, it was determined that there were 106 records potentially compromised and 106 veterans were sent letters offering credit protection services.
Questioning Access to PHI
A veteran reportedly contacted the Albuquerque Vet Center from his then-current location at Fort Benning, GA, where the veteran was scheduled to deploy on active duty to Afghanistan. The veteran had been informed by a physician there that he was not eligible for deployment due primarily to the content of a progress note recorded earlier in the veteran’s treatment at the Albuquerque Vet Center. That note included specific traumatic events as noted in the military history for the veteran per the center’s intake protocol. The veteran indicated that he never signed any release allowing the Department of Defense or the Department of the Army to access his treatment records at the Readjustment Counseling Services of the VA, nor had the readjustment counseling therapist received any request to disclose such information from any source. The veteran was reportedly extremely upset at this disclosure.
An incident update posted on October 6 says:
According to ISO, the Doctor stated they accessed the information via DOD AHLTA (Armed Forces Health Longitudinal Technology Application) system that connects to VA VistA system, but according ISO the DOD did not access the Vet Center’s system, this does not rule out other methods. Based on review of RCSnet no breach was identified and after review of accounts all accounts are appropriately assigned. RCS staff was able to obtain permission to access the DOD system and is in the process of scheduling a time to go to Ft. Benning to see exactly how the doctor saw the information and to determine if a HIPAA violation occurred or if there is a computer system issue between the VA VistA system and the VET Center’s system.
So it’s not clear yet how this happened, although it is clear that the VA is taking this seriously and investigating it.
This incident reminds us yet again that privacy breaches involving PHI (and especially mental health data) can have significant impact on one’s life — in this case, a soldier who expected to deploy was told that he could not deploy because of sensitive information in a file that he did not think would be disclosed.