HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Potential VA PHI Breach Impacts 1,000 Oregon Veterans

This week, the Oregon Department of Veterans’ Affairs announced it suffered a major privacy breach that could impact 967 Oregon veterans.

Copies of DD 214 forms are believed to be in the possession of an unauthorized individual. The DD 214 form is a Certificate of Release or Discharge from Active Duty and contains veterans’ full names, addresses, dates of birth, and Social Security numbers. Data which could potentially be used to steal the identities of veterans and commit fraud.

It is not clear at this stage how the individual came to be in possession of the documents, or the reason why that information was taken. According to a statement released by an ODVA spokesperson, there is no reason to suggest that any of the data have been used inappropriately. However, “ODVA is treating this compromise with critical importance.”

In order to protect affected veterans from identity theft and fraud, affected veterans have been offered a year of credit monitoring services without charge and notifications of the breach have now been mailed.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

In order to prevent similar privacy incidents from occurring, ODVA Director Cameron Smith has requested a review of internal policies and procedures. Based on the results of that review, policies will be altered to better protect the privacy of Oregon veterans in the future.

A Bad Week for the Dept. of Veterans’ Affairs

The VA also made the news this week after a ProPublica investigation of PHI breaches shows the Department of Veterans’ Affairs tops the list for complaints made for privacy violations. The VA is the most persistent HIPAA offender and consistently and repeated violates HIPAA Rules.

The ProPublica report cites one case when a VA employee accessed the medical records of her ex-husband 260 times before the privacy violations were discovered. Another case involved the unauthorized accessing of a veteran’s records on 61 occasions by a VA employee who also posted the information on Facebook. Despite numerous instances of privacy violations, many of which are serious, little action appears to be taken against the VA by regulatory bodies.

A Bad Quarter for the Dept. of Veterans’ Affairs

Each month the Department of Veteran Affairs sends a report to congress detailing veterans’ privacy violations. Numerous mis-mailing and mishandling incidents occur each month, and many PIV cards and devices containing veterans’ PHI are lost. In November, 693 veterans had their PHI exposed as a result of theft of devices and mistakes made by VA staff. In October, 648 veterans were affected by privacy breaches. The latest incident ensures that December’s figures will be worse still, and that the upward trend in privacy violations will continue.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.