HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

November VA Information Security Report: 693 Veterans’ Data Exposed

The November information security report from the Department of Veteran Affairs to congress shows a slight increase in the number of breach victims month on month. There were almost 7% more breach victims created in November than October, 2015, with 693 veterans affected compared to 648 last month.

There were significant improvements in the number of mishandling incidents, down almost 21% from 81 in October to 64 in November. There were approximately 7% fewer mis-mailed incidents reported for the month, falling from 123 to 114 over the same period. Pharmacy mis-mailings were also down from 8 in October to just one incident out of 6,145,859 mailings sent in November: A major improvement month on month.

Figures for the number of lost devices were virtually identical to October, with 47 devices reported lost compared to 49 last month. The November VA information security report indicates 156 PIV cards were lost in November. There were 158 PIV cards reported lost in October.

Fewer breach notifications needed to be sent out in November, although substantially more victims were offered credit monitoring services. November’s security breaches required 559 veterans to be offered credit monitoring services, which represents a 96% increase month on month.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Major Incidents Highlighted in November VA Information Security Report

A number of veterans received paperwork intended for other veterans; however, three serious incidents were detailed in the November VA information security report.

The most serious privacy breach was reported by the Miami VA Healthcare System. The incident resulted in 126 veterans having their names, Social Security numbers, and IC-9 codes exposed. A nurse dropped two pages of a three-page report which was being used as part of a project to convert old IC-9 codes to the new IC-10 codes. The pages were dropped in a staff canteen and were not recovered. All affected veterans were offered credit monitoring services to mitigate risk.

One incident affected 259 veterans of the VA New England Health System in Boston, which resulted in their names, Social Security numbers, and procedure information being exposed. A clinic list was discovered in a public bathroom on November 5. The list had been printed on November 4, and according to the VA, it is unlikely that the list was dropped and left overnight. The restroom was maintained by housekeeping, which would have located the document had it been dropped the day previously. It is not clear how many individuals entered the bathroom and could potentially have viewed the information as the area was not covered by security cameras. Members of staff are to be re-informed on correct document handling procedures during the next staff meeting and credit monitoring services will be provided to all affected veterans.

The third major incident involved the theft of a laptop computer. The laptop was stolen from a VA contractor, and while that contractor maintained no PHI was stored on the laptop, which would have been a breach of VA regulations, an investigation revealed that some medical data was potentially accessible. Partial Social Security numbers, veterans’ names, QTC identification numbers, and some medical information were all potentially compromised. Credit monitoring services were not provided, although notification letters were sent to all 84 veterans affected by the breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.