Privacy breaches in VA health records wound veterans

Carl Prine of the Pittsburgh Tribune-Review reports on an investigation they conducted on privacy breaches involving veterans’ health records. Some of their findings:

… VA workers or contractors committed 14,215 privacy violations at 167 facilities from 2010 through May 31, victimizing at least 101,018 veterans and 551 VA employees. Photos of the anatomy of some were posted on social media; stolen IDs of others were used to make fraudulent credit cards.

[…]

Eleven times since 2010, criminal investigators found VA employees in Massachusetts, Ohio, Virginia, Florida and Washington stealing veterans’ identities or prescriptions. The outcome of those cases is unknown because VA privacy officers decided the outcomes should be private.

In 2012, a medical clerk in Miami was sentenced to two years in prison for selling undercover agents data belonging to 22 veterans. The employee confessed to stealing the identities of 3,000 vets over five years before a credit card fraud scheme fell apart.

[…]

One in 365 privacy violations was turned over to the agency’s Office of Inspector General, VA police or outside law enforcement. VA privacy officers recommended that 31 people lose their jobs for unlawful disclosures — nearly half of them contractors, volunteers, medical students or part-time staffers. Officials cannot estimate how many employees were terminated for privacy violations but conceded that it’s rare.

In 82 cases, providers illegally released medical information or failed to secure patient consent during studies, violating the privacy of 2,856 vets.

Failure to encrypt data. The VA mandated data scrambling on computers as a result of the 2006 theft in Maryland of a laptop containing 26.5 million veterans’ records. Since 2010, however, at least 16,183 vets were put at risk because VA employees failed to encrypt electronic gadgets that got lost or stolen.

Related: