Department of Veteran Affairs Reports 158% Hike in Data Breaches

The Department of Veteran Affairs has issued its monthly data breach report to congress. Over the past few months the number of breach victims has been falling; however the latest figures show a marked increase in the number of data breach victims.  There was also a noticeable decrease in the number of security incidents the DVA was able to prevent.

In March, 383 veterans were reported to have been affected by data breaches. The number of breach victims reported for April was 987; a percentage increase of almost 158%. 738 of those incidents involved the exposure of Protected Health Information (PHI); almost 75%.

What Caused the Increase in PHI Breaches in April?

There was a slight increase in the number of mishandling incidents in April, but the biggest cause of the increase, by far, were mis-mailing incidents, which rose by 19 percent. Errors made by pharmacies increased substantially, although there was a slight drop in lost/stolen devices and PIV cards.

Information Security – Monthly Activity Report – April 2015


  • Lost and stolen device incidents:  47
  • Lost PIV Cards:  144
  • Mishandled incidents:  112
  • Mis-mailed incidents:  204
  • Pharmacy Mis-mailings:  3 out of 7,307,142 individual mailings


Information Security – Monthly Activity Report – March 2015


  • Lost and stolen device incidents:  50
  • Lost PIV Cards:  154
  • Mishandled Incidents:  105
  • Mis-mailed incidents:  165
  • Pharmacy Mis-mailings:  7 out of 7,465,613 individual mailings


Examples of Data Breaches Reported to Congress


The reported mis-mailing errors were varied. Typically they involved errors such as Patient A receiving mailings for Patient B. One cited example involved a patient receiving prescriptions for two other patients, resulting in their medication information being compromised. A research study mailing was also mentioned in which some of the patients receive letters with incorrect names on the envelopes as a result of an old database being used.

One data breach occurred when transit applications were sent to VBA Central Office (CO) for processing and were misplaced. The DHL delivery reached the depot, but was subsequently lost. The incident affected 173 individuals.

The largest data breach involved a mishandling incident that affected 358 veterans. The error reportedly emanated from the Patient Business Office of the VA Long Beach Healthcare System. A veteran noticed medical files in a dumpster. Those records contained some Personally Identifiable Information (PII). The paperwork was believed to have been accidentally left behind when the previous office tenants relocated. The documents were subsequently dumped in the belief that they were trash.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.