The Veterans Administration continues to struggle with securing veterans’ personal and protected health information, as its monthly reports to Congress reflect. First, consider the sheer number of different types of incidents reported to Congress for the month of August:
| Total number of Internal Un-encrypted E-mail Incidents | 92 |
| Total number of Mis-Handling Incidents | 114 |
| Total number of Mis-Mailed Incidents | 138 |
| Total number of Mis-Mailed CMOP Incidents | 9 |
| Total number of IT Equipment Inventory Incidents | 9 |
| Total number of Missing/Stolen PC Incidents | 1 (1 encrypted) |
| Total number of Missing/Stolen Laptop Incidents | 9 (9 encrypted) |
| Total number of Lost BlackBerry Incidents | 17 |
| Total number of Lost Non-BlackBerry Mobile Devices (Tablets, iPhones, Androids, etc.) Incidents |
3 |
To illustrate the ongoing problems, consider four specific incidents reported last month:
Portland, Oregon: A VA medical assistant took two provider panel lists home in March, 2014 to work on them over a weekend. In August, 2014, the medical assistant’s husband found the list and told the nurse he was going to use it to have her fired. The VA noted that the documents, which were recovered when the husband voluntarily turned them over to VA police, contained a total of 1740 veterans’ information: full SSNs, eligibility codes, last appointment dates, and the first ten letters of the name (with the format being last name, first name up to ten letters total). Credit protection services were offered to 1686 veterans involved, and notification letters were sent to next of kin for 54 deceased veterans.
I don’t see any notice on their web site, but I think we should eventually see this one on HHS’s breach tool.
Milwaukee, Wisconsin: Several veterans returned letters postmarked on 08/22/14 that contained a generic letter outlining the new facility procedures regarding opioid treatment. The letters contained the veterans’ correct street address, but were paired with another’s name. The letter itself contained no identifiable information. However, each incorrect recipient was getting another veteran’s name on the envelope, revealing that the named veterans were taking an opioid of some sort.
Investigation revealed that there was mistake made with the mail merge function in Word, and a total of 210 veterans were impacted. Each of those affected received a HIPAA disclosure notification and a request to return the incorrect envelope in an included postage-paid self-addressed envelope.
West Palm Beach, Florida: A motor vehicle operator informed his supervisor that he left the clipboard from his vehicle, his daily work schedule and his VA-issued cell phone on the roof of the government minivan he was driving. The employee thinks he drove away with these items on top of the vehicle. He tried to reverse his route but could not find any of the missing items. The clipboard contained the work schedule for the day and the special mode appointment List for the day. The appointment list contained 52 veterans’ full names, last four numbers of their SSN, full address, and contact phone number. The 52 veterans were sent a HIPAA letter of notification of the inadvertent loss.
Cleveland, Ohio: A call center agent in the National Call Center left a steno notebook in a common break area which was accessible to the public. The notebook contained claim and social security numbers for 269 veterans. All of them were sent credit protection service offers.
Given how massive the VA system is, it’s not surprising to see human error breaches, but I wonder how much breaches are costing the VA each year in terms of time to investigate, mailings, and offers of credit protection.