I was skimming the Veterans Administration report to Congress on data breaches and incidents for February and thinking, “Hey, this looks pretty good this month,” and then…. I saw an incident involving the VA Midwest Health Care Network in St. Cloud, Minnesota.
On February 9, a staff member conducted group meetings to complete a paper packet with four assessments per veteran in the Mental Health (MH) Outcome Management Program. The assessment results were to be recorded into the veterans’ charts and tracked. The assessments contained contained the veterans’ last name and last four digits of the SSN and multiple choice questions relating to depression, anxiety, brief addiction monitoring, University of Rhode Island Change Assessment (URICA), Behavior And Symptom Identification Scale (Basis 32), and the Posttraumatic Checklist.
But – and it’s not clear what happened – the assessment packets could not be located afterwards and were not recorded in the veterans’ charts. The employee reportedly does not know if the packets were shredded or are just missing.
As a result of this, 373 veterans were to be sent a HIPAA notification letter.