Network security breach with Milwaukee VA affiliate
September 1, 2016
On August 22, 2016, Medical College of Wisconsin notified Milwaukee VA Medical Center of an incident compromising an MCW employee’s email address and, subsequently, private and protected health information of 21 veterans.
On Aug. 29, 2016, Milwaukee VA notified 19 of the 21 veterans of a breach of personal and protected health information by sending a letter depicting the event and providing resources to protect and monitor each veteran’s private and protected health information.
Milwaukee VA shares health information with MCW as an academic affiliate. This breach of security of veteran health information is serious and Milwaukee VA is here to protect and provide world-class healthcare to our former service men and women. If any event negatively affects our veterans, VA will do everything in our power to correct and prevent these types of events. It is our honor to serve those who serve us and Milwaukee VA will always ensure the care they deserve.
As of today, no reports from veterans were made regarding malicious activity stemming from this information.
Attached is the letter sent to veterans.
SOURCE: Milwaukee VA Medical Center.
The 21 veterans were only part of the story, though. The Medical College of Wisconsin issued its own notification that indicated that 3,200 patients were part of a security breach, with unusual activity in an employee’s email account noticed on July 5. WISN reports:
On Aug. 3, forensic investigation determined that an unauthorized third-party had accessed the email account over a limited three-day period from July 2 to July 4.
Their notification letter does not appear to be on their web site at the time of this publication. Any bets as to whether their notification says that their employee mismanaged the email account, as the VA Medical Center claimed in their notification letter to those affected?
According to WISN, the email account in question contained full names, dates of birth, home addresses, medical record numbers and codes or notes related to diagnosis or treatment provided. Also, the Social Security numbers of two patients were included in the email account.