A breach involving the Denver VA center was reported in the VA’s most recent monthly report to Congress. I’m including it here because it shows how thorough the VA can be in investigating breaches – and how time-consuming and labor-intensive it can be when someone neglects security measures like a cable:
Incident Summary
Two biomedical device laptops were discovered missing on 05/20/14. VA Police were notified of the event. The two missing laptops were password protected but not encrypted due to being attached to biomedical devices. The laptops were located on mobile test stations in the Pulmonary Department. The portable test equipment was used when patients could not be transported to the Pulmonary Department for testing. The exact number of patients is unknown. The upper limit is 5,000 and could be as low as 350. The ticket will be updated when more information is available.
Incident Update
05/21/14:
Additional questions have been sent to the Information Security Officers (ISO) and Privacy Officer (PO) regarding the missing laptops.
Update: The laptops were not encrypted as they were attached to biomedical devices. The laptops were VA issued equipment (EE#56243 and EE#56244). The Pulmonary supervisor reported that she discovered the laptops missing on 05/20/14 but was informed by one of the technicians that she saw them missing about 2 weeks ago, exact date unknown, but thought they were being worked on. The supervisor then checked with Information Resource Management Systems (IRMS) and Bio-med to see if they had been picked up the reply was negative. The laptops were last inventoried on 04/22/14 in room 6A-144. These were standalone systems and had never been connected to the network. To the best of the facility’s knowledge, the laptops were not secured with cables and it is currently unknown why they were not secured. The facility is currently working on identifying the number of affected individuals (the number could be between 350 – 5000), as well as identifying the identity of the potentially affected individuals.
ISO update: The ISO met again with local Incident Response Team. The team is still working on narrowing down the list of names using the method detailed below.
Patient cohort definition and filtering processes:
— Original search performed for data range 10/13/10 to 05/20/14
— Search criteria included all patients with a CPRS consult named “PFT (OUPT)” requested for the Denver division only
— Within this criteria we identified consults with a status of “Completed” or “Partial Result”
— Developed and compiled a list of patients where the PFT results that were actually performed on a device other that the portable laptop.
— Compared and removed all patients where the PFT was physically performed on a device other than the portable laptop
— Developed and compiled a Fileman report to identify any patient that had a manual scanned image stored within the Vista Imaging electronic records.
— Filtered the results of the scanned images to exclude any C&P scanned records as these were performed at a different location
— All duplicate records were removed
— The final patients have been provided to the clinical staff for individual chart reviews05/23/14:
Update: Based on the filtering processes below completed by the facility, there were 570 patients.– 180 were the ones that had both an electronic result from the main system and also had another PFT order sent so it could not eliminate these from the original cohort as there was not a clean line saying it was only done on the main system. 100% audited; 155 names verified and will be removed. 180 – 155 = 25 (this number of patients will remain on the list)
– The remaining 390 patients, Service is still conducting a 100% audit; 176 more records to go.
– 570 – 155 = 415 may be affected. This is not the final number.The team will meet again at 3:30 PM and the ISO send an update after the meeting.
ISO update: The ISO met again with Eastern Colorado Healthcare System (ECHCS) Facility Incident Response Team, 05/23/14, 3:00 PM local. This was confirmed by the team, there were 239 patients contained on the two stolen VA unencrypted laptops. The laptops contained personally identifiable information on the hard drives; full name, full Social Security number, birth dates, race, and test results.
05/27/14:
The ECHCS facility Incident Response Team has finished reviewing the information that could have been contained on the two missing laptops. The team has determined that 239 individuals’ personally identifiable information (PII)/protected health information (PHI) would have been stored on the laptops.Resolution
This incident was reported to OIG.
As per PO: The letters were mailed out on 05/29/14, a redacted credit-monitoring letter was uploaded, the employees in the department have retaken privacy/information security training, and the incident resolution column was updated.
This incident was reported to OIG.
As per PO: The letters were mailed out on 05/29/14, a redacted credit-monitoring letter was uploaded, the employees in the department have retaken privacy/information security training, and the incident resolution column was updated.
DBCT DBCT Decision Date: 05/27/2014
The DBCT has determined that 239 individuals will receive letters offering credit protection services.
The only thing missing from the above seems to be notification of HHS (or noting that it was to be done). But how many staff hours do you think were spent that week because the laptops weren’t secured to the medical devices by cables? Their time probably could have been better used on other things.