Department of Veteran Affairs 2015 Privacy Violations

The U.S. Department of Veteran Affairs (VA) is the largest integrated health system in the United States, operating 1,700 hospitals, clinics, domiciliaries, counselling centers, and community living centers. Those facilities include 1,203 outpatient sites, 300 Vet Centers, and 144 hospitals, with the VA serving approximately 5.8 million patients each year.

Each month, the VA submits a report to congress containing a summary of privacy and security violations that have been suffered by VA hospitals and clinics.

The VA has come under increasing criticism in recent months for the number of privacy violations and security incidents it suffers. In 2015, an average of 833 veterans had their privacy violated each month. The privacy and security incidents were often serious enough to warrant the provision of credit monitoring services to address risk. On average, 452 veterans are offered these services each month to protect their identities and credit after errors have been made by VA staff.

2015 has been a bad year for privacy violations, with almost 10,000 veterans affected by security incidents at VA facilities. The majority of the violations involve the accidental disclosure of personal information and protected health information to another individual, such when test results of one veteran are accidentally mailed to incorrect individuals. Other more serious violations have involved multiple individuals and have exposed Social Security numbers, test results, and other sensitive information.

Summary of Monthly VA Privacy Violations Impacting U.S. Veterans


2015 Privacy Incidents Annual Total Monthly Average
Veterans Affected 9,997 833
Notifications Required 4,575 381
Credit Protection Services Issued 5,422 452
Health Information Incidents 6,659 555


Privacy Incident Total Incidents Reported in 2015
Lost and Stolen Devices 591
Lost PIV Cards 1,698
Mishandled Incidents 1,164
Mis-mailed Incidents 1,802
Pharmacy Mis-Mailed Incidents (Feb-Dec) 105


Major 2015 VA Privacy Violations

Some of the major 2015 VA privacy violations that have affected more than 100 veterans have been summarized below.

February 2015

Acting as a whistleblower, a former VA employee from a Denver, CO., VA facility provided a wait list containing information on 508 patients to a reporter. The list contained the last four digits of SSNs, veteran names, and clinic names.

A break in at a San Francisco, CA., VA center potentially resulted in patient encounter forms of 250 veterans being viewed by a burglar. The documents were recovered, although some may have been taken in the break in.

April 2015

A Long Beach, CA., facility incorrectly disposed of documents containing veterans’ PHI in regular trash bins. Veterans’ full SSNs were exposed. 358 documents were recovered, each containing a name and an SSN. There was no way of determining in any documents had actually been removed from the trash.

Transit applications sent between two Washington, DC., VA facilities were lost. 173 veterans had their names, addresses, contact phone numbers, and the last four digits of their SSNs exposed.

May 2015

An employee of Vocational Rehabilitation and Employment (VR&E) in Portland, OR., emailed a spreadsheet containing 508 veteran names and SSNs to an outside entity in error. That individual was a client of the employee.

June 2015

A veteran from Anchorage, AK., requested a copy of her VA file and was provided with a box containing HR and payroll documents detailing the names and SSNs of VA employees and other veterans. In total, the names and SSNs of 1,008 individuals were exposed.

A Medical Support Assistant (MSA) from a Columbia, MO., facility discovered a list of 193 veterans on her desk. The list contained names and highlighted SSNs and appeared to have been left there overnight.

July 2015

A VA employee from Houston, TX., emailed a list of veteran names and SSNs to his private Yahoo email account. The full names and SSNs of 26 veterans were detailed in the list, along with names and other information relating to another 391 individuals.

September 2015

The names and primary care provider names of 408 veterans were inadvertently disclosed to incorrect individuals after an error was made during a mail merge conducted by a Honolulu, HI., VA facility.

October 2015

A digital camera containing photographs of veterans’ wounds, along with their names and the last four digits of their social security numbers was stolen from a clinic preparatory room at a Houston, TX., VA facility. 200 veterans were affected by the privacy breach.

November 2015

A clinic list containing the names and full SSNs of 259 veterans was dropped in a public bathroom at a Boston, MA., VA facility. The list was recovered the following day, but since the area was heavily trafficked, the information could have been viewed by a number of unauthorized individuals.

A nurse lost a list of veteran names and SSNs in a VA canteen in Miami, FL. The list was not recovered. 126 individuals were impacted by the privacy breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.