On June 10, the Salt Lake City Regional Office of the Veterans Administration was notified that the The Wounded Warrior Program Office in Seattle had received a box from a veteran in Anchorage. The veteran had previously gone to the Anchorage office in April to request a copy of her VA file, and several weeks later, had returned to pick up the copy of her file. She was given a box of what was supposed to be her records, but when she eventually opened the box at home, she discovered that she had been given a box with the personally identifiable information of other individuals. Unsure what to do, she sent it to the Seattle office, who after reviewing the contents, discovered what appeared to be primarily Human resources (HR) and payroll related information on employees, including their names and Social Security numbers.
It appears the box contains miscellaneous HR forms such as VA Form 5-97 re: Notice of Pending Personnel Action forms and Finance Activity Forms from Austin Data Processing Center (DPC) with Station 463 (Anchorage, Alaska) employees listed.
No veteran protected health information (PHI) was in the box.
1,008 employees were offered credit protection services as a result of the breach.
And all because the receptionist handed the veteran the wrong box….