Share this article on:
Each month the Department of Veteran Affairs issues a report to congress on the information security incidents experienced by VA facilities over the course of the month. Protected health information (PHI) exposures increased considerably in April, with 2,105 veterans’ PHI being accidentally disclosed or exposed.
In total, 2556 veterans were affected by information security incidents in April, resulting in the VA sending 1,690 breach notification letters. Due to the relatively high risk of misuse of data, 866 veterans were offered credit protection services.
While the number of veterans affected by these security incidents was considerably higher than in March – when 522 veterans were affected by information security incidents and 417 had their PHI exposed – fewer incidents were reported by VA facilities.
In April there were 39 lost and stolen device incidents compared to 54 in April, lost PIV cards fell from 172 to 128, mishandling incidents dropped from 89 to 87, and 146 mis-mailed incidents were reported compared to 147 incidents last month.
Major VA Data Breaches Reported in April
The largest privacy breach affected a VA facility in Hines, IL (VISN 12) and resulted in the exposure of 235 veterans’ PHI when a package was lost in transit. The package contained details of veterans’ home-oxygen information which was sent on March 25, 2016 from the Madison VA. The package was sent via the USPS but was discovered not to have arrived on April 5. A search was conducted to determine if the package had been received by another department, but it could not be located. All 235 veterans affected by the potential privacy breach have been notified by mail.
The Veteran Benefits Association in Fort Harrison, MT., reported an information security incident that affected 162 individuals. The privacy breach occurred when a representative of Vocational Rehabilitation and Employment (VR&E) sent a file containing veterans’ names and Social Security numbers using an unencrypted yahoo.com email account. The email was routine; however, the representative accidentally sent an incorrect file. The VA reports that the individual that received the email has agreed to delete the attachment, although as a precaution, the VA has offered all affected individuals credit monitoring services.
Bay Pines, FL (VISN 08) reported the accidental disclosure of veterans’ names after a contact list containing the names of 103 veterans was found by a lawn maintenance worker. The list belonged to Urban Development Veterans Affairs Supportive Housing (HUD VASH) and the employee who lost the list has been disciplined. Staff at VISN 08 have been provided with additional training.
An VA employee of Las Vegas, NV (VISN 22) was discovered to have removed documents on billing, Torts, and claims not approved. The documents had been placed in an envelope instead of a sealed red document bag – as was required under VA policies.
The documents were placed on the roof of the employee’s vehicle while that individual entered. However, that person then drove off leaving the documents on the roof of the car. The documents were found by a member of the public and were handed in to the VA. The individual responsible for the breach was not identified. The documents contained the names, addresses, dates of birth, and genders of 84 veterans. 28 veterans’ had their names and claim numbers exposed. The latter were offered credit monitoring services to mitigate risk. The remaining veterans were sent a breach notification letter.