When a reporter came into possession of some veterans’ information, the San Antonio VA found itself with a reportable breach and a leak to investigate. From the VA’s report to Congress:
Incident Summary
During an on-camera interview on the evening of 06/02/14 with 4 VHA employees (identities disguised), the News 4 Reporter from WOAI stated “last week a source with ties inside the San Antonio VA gave News 4 a partial recall delinquency list. It shows 150 Veterans needing medical care in the beginning of May”. The Reporter went on to say, “We spoke with Veterans on this delinquency list.” The facility is in the process of attempting to obtain the list of patients the Reporter obtained “illegally” and to determine the source. Further information will be added as soon as it is available.
Incident Update
06/09/14:
This is still being investigated by the Privacy Office. The Privacy Officer (PO) has been in contact with the Reporter and is attempting to retrieve the information. As of 06/06/14, the Reporter has not provided the information requested. The PO is requesting, at the very least, to have the names of the individuals whose information was disclosed without authorization so that VA can begin the notification process.
06/10/14:
The Incident Resolution Service Team determined that, based on the VA Breach Criteria, this would be a breach and require notification, since the full name and partial SSN were disclosed. The 161 Veteran will receive a HIPAA letter of notification. The Data Breach Core Team (DBCT) concurred.
06/10/14:
No DBCT decision needed. This is informational due to the number of Veterans affected.
The VA’s entry does not indicate whether they ever identified the source of the leak and what actions might have been taken.