Share this article on:
The U.S. Department of Veteran Affairs (VA) is the largest integrated health system in the United States, operating 1,700 hospitals, clinics, domiciliaries, counselling centers, and community living centers. Those facilities include 1,203 outpatient sites, 300 Vet Centers, and 144 hospitals, with the VA serving approximately 5.8 million patients each year.
Each month, the VA submits a report to congress containing a summary of privacy and security violations that have been suffered by VA hospitals and clinics.
The VA has come under increasing criticism in recent months for the number of privacy violations and security incidents it suffers. In 2015, an average of 833 veterans had their privacy violated each month. The privacy and security incidents were often serious enough to warrant the provision of credit monitoring services to address risk. On average, 452 veterans are offered these services each month to protect their identities and credit after errors have been made by VA staff.
2015 has been a bad year for privacy violations, with almost 10,000 veterans affected by security incidents at VA facilities. The majority of the violations involve the accidental disclosure of personal information and protected health information to another individual, such when test results of one veteran are accidentally mailed to incorrect individuals. Other more serious violations have involved multiple individuals and have exposed Social Security numbers, test results, and other sensitive information.
Summary of Monthly VA Privacy Violations Impacting U.S. Veterans
|2015 Privacy Incidents||Annual Total||Monthly Average|
|Credit Protection Services Issued||5,422||452|
|Health Information Incidents||6,659||555|
|Privacy Incident||Total Incidents Reported in 2015|
|Lost and Stolen Devices||591|
|Lost PIV Cards||1,698|
|Pharmacy Mis-Mailed Incidents (Feb-Dec)||105|
Major 2015 VA Privacy Violations
Some of the major 2015 VA privacy violations that have affected more than 100 veterans have been summarized below.
Acting as a whistleblower, a former VA employee from a Denver, CO., VA facility provided a wait list containing information on 508 patients to a reporter. The list contained the last four digits of SSNs, veteran names, and clinic names.
A break in at a San Francisco, CA., VA center potentially resulted in patient encounter forms of 250 veterans being viewed by a burglar. The documents were recovered, although some may have been taken in the break in.
A Long Beach, CA., facility incorrectly disposed of documents containing veterans’ PHI in regular trash bins. Veterans’ full SSNs were exposed. 358 documents were recovered, each containing a name and an SSN. There was no way of determining in any documents had actually been removed from the trash.
Transit applications sent between two Washington, DC., VA facilities were lost. 173 veterans had their names, addresses, contact phone numbers, and the last four digits of their SSNs exposed.
An employee of Vocational Rehabilitation and Employment (VR&E) in Portland, OR., emailed a spreadsheet containing 508 veteran names and SSNs to an outside entity in error. That individual was a client of the employee.
A veteran from Anchorage, AK., requested a copy of her VA file and was provided with a box containing HR and payroll documents detailing the names and SSNs of VA employees and other veterans. In total, the names and SSNs of 1,008 individuals were exposed.
A Medical Support Assistant (MSA) from a Columbia, MO., facility discovered a list of 193 veterans on her desk. The list contained names and highlighted SSNs and appeared to have been left there overnight.
A VA employee from Houston, TX., emailed a list of veteran names and SSNs to his private Yahoo email account. The full names and SSNs of 26 veterans were detailed in the list, along with names and other information relating to another 391 individuals.
The names and primary care provider names of 408 veterans were inadvertently disclosed to incorrect individuals after an error was made during a mail merge conducted by a Honolulu, HI., VA facility.
A digital camera containing photographs of veterans’ wounds, along with their names and the last four digits of their social security numbers was stolen from a clinic preparatory room at a Houston, TX., VA facility. 200 veterans were affected by the privacy breach.
A clinic list containing the names and full SSNs of 259 veterans was dropped in a public bathroom at a Boston, MA., VA facility. The list was recovered the following day, but since the area was heavily trafficked, the information could have been viewed by a number of unauthorized individuals.
A nurse lost a list of veteran names and SSNs in a VA canteen in Miami, FL. The list was not recovered. 126 individuals were impacted by the privacy breach.