Share this article on:
The Department of Veterans Affairs has announced the potential exposure of 1,111 veteran health records after files containing Personally Identifiable Information (PII) and Protected Health Information (PHI) were accidentally tossed in a dumpster.
The files were thrown out with regular waste by an employee of the VA Hot Springs Hospital in South Dakota on Friday, May 15, during a move to a different location. The files were mistaken for regular rubbish, and would have remained in the publically-accessible dumpster were it not for a vigilant employee who noticed the dumped files two days later.
The improper dumping was reported to the Veterans Affairs police, who went dumpster diving to retrieve the files. According to a press release issued by the Fort Meade-based VA Black Hills Health Care System, an investigation was launched after the incident came to light.
Public Affairs Officer, Teresa Forbes, was interviewed by the Rapid City Journal on Friday last week, and said “It was just an unfortunate mistake during an office move.” The box of files appeared not to have been tampered with, and while files could potentially have been removed by a member of the public, or an employee of the hospital, Forbes said the VA is “very confident that we don’t anticipate that their information has been targeted or will be misused.”
Ironically, the dumped files were “part of a patient list generated for internal compliance purposes.” The files and list contained patient names, phone numbers, addresses, and Social Security numbers; the exact information identity thieves require to commit identity fraud.
In accordance with Health Insurance Portability and Accountability Act (HIPAA) regulations, breach notification letters have now been dispatched to all affected patients to alert them to the potential exposure of their data, and to advise them of actions that can be taken to reduce the risk of becoming a victim of fraud. Those measures include obtaining free credit reports from Experian, Equifax and TransUnion, signing up for a year of credit monitoring services and placing fraud alerts on credit reports.
HIPAA Violated by Tardy Breach Response
The breach response was conducted in accordance with HIPAA regulations according to Forbes; however, HIPAA requires breach notices to be issued within 60 days of the discovery of a breach of PHI/PII. Breach notification letters were sent on July 29, more than 10 days after the maximum allowable timescale for alerting breach victims. The security incident must also be reported to the Department of Health and Human Services’ Office for Civil Rights at the same time that breach notification letters are mailed. The incident has now been posted on the OCR’s “Wall of Shame”, dated July 30, 2015.
The VA has been criticized for waiting so long to issue notifications to affected veterans. Forbes responding to the criticism by saying “VA Black Hills worked within the time frames set by our policies; to ensure the investigation was thorough, all affected veterans were identified, and resources put in place to assist veterans.”
The thorough investigation did not identify the person responsible for dumping the files, but the VA was able to identify all patients affected by the data breach; a task that would appear to have only required a member of staff to look at the paper files and check the patient’s names that were printed on them.
VA Criticized for Routine Privacy Violations
Sen. John Thune (R-S.D.) was infuriated by the breach, claiming this latest scandal to be yet another case of “gross mismanagement” at the VA. He went on to say the incident was “unfortunately illustrative of the continued decline of the Hot Springs VA and the indifference shown to it by the Veterans Administration.”
Each month the VA sends a report to congress detailing the privacy incidents that have been suffered during the month. The report for June, 2015 shows 161 mishandling incidents, 161 paper mis-mailings, 22 pharmacy mis-mailings and 43 lost and stolen device incidents.
In one incident included in the report involved the Hudson Valley HealthCare System (HVHCS), which discovered missing equipment when it conducted an IT inventory. The mis-placed devices included “1 Laptop, 2 Cameras, 2 TVs, 67 Cell Phones, 3 BlackBerry devices, 2 USB, 18 PCs, 72 Monitors, 2 Tandberg, 5 Servers, 2 Switches, and 18 Printers.”
If a private hospital system were to submit a monthly report to the Office for Civil Rights listing regular HIPAA violations, privacy violations, equipment losses, mis-mailings, handling errors and improper dumping, it would be fined to high heaven and would have long since gone out of business. HIPAA exists to protect the public. Perhaps now is the time for the government, and specifically the VA, to be held accountable for repeated violations of patient privacy.