The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

September VA Information Security Report Shows Increase in Privacy Incidents

Posted By on Oct 23, 2015

Each month the Department of Veteran Affairs issues an Information Security Report to congress, in which it details the privacy and security incidents that have affected U.S veterans during the month.

The past two months have seen privacy incidents fall, with the August figures the lowest since January. However, the report for September has seen the trend reversed, with a substantial increase in both incidents and the number of individuals affected. In total, 455 separate privacy/security incidents were reported during the month.

The VA reported 1,135 veterans were affected by security breaches in the month of September, which resulted in 739 breach notification letters being issued and 396 individuals placed at a high enough level of risk of identity theft and fraud to warrant the provision of credit protection services. In August, only 431 individuals were affected by privacy and security incidents.

In fact, September was the second worst month so far this year, with only June seeing more veterans affected (2076). This is only the fourth month that has seen the number of affected veterans rise above the 1,000 mark.  In total, 8,162 individuals have now had their personal information disclosed or exposed in 2015.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

September Privacy and Security Incidents

Security Incident September 2015 August 2015 Difference
Lost/Stolen Devices 64 47 +17
Lost PIV Cards 134 117 +17
Mishandled Incidents 115 84 +31
Mis-Mailed Incidents 137 148 +11
Pharmacy Mis-Mailings 5 1 +4

 

The report also provides information on attempted intrusions and malware infections that were blocked or contained. In September, 200,384,851 intrusion attempts were blocked – 34,826 fewer than August – 94,664,365 suspicious/malicious emails were blocked – 3,963,794 less than last month, and 540,486,893 pieces of malware were contained or blocked – 3,963,794 fewer than the previous month. In August, 3 devices were infected with malware, with only one reported – and contained – in September.

Privacy and Security Incidents Reported in September

 

The report contains examples of the incidents that were reported during the month, many of which are similar in nature – i.e. Patient A was accidently mailed information for Patient B. However, one incident resulted in a patient receiving a compact disc containing the full medical records of 70 other veterans. The person in question realized the error and returned the compact disc to VAPSHCS.  There is not believed to be any risk of harm, but all concerned have been offered credit protection services as a precaution.

Some other incidents of note, which were out of the ordinary, included:

A well intentioned message posted on an online obituary of a veteran, resulting in the disclosure of sensitive information. A VA employee had posed the following comment “It is with deepest regret to hear of Mr. XX passing, he left an impression on the mental health department and staff with smiles and memories,” the privacy violation being the disclosure of the fact that the patient had suffered a mental illness.

A briefcase of an HUD-VASH Case Manager containing 50 VA names, their contact information and last four digits of their social security numbers was stolen.

In a similar incident to one reported last month, an IT inventory revealed a number of lost devices. The number of pieces of equipment were discovered to be missing was not specified, although the VA did confirm that all devices were encrypted, so no PHI was exposed.

One case of inappropriate accessing of VA records was discovered following an internal inspection, which revealed that the employee in question had inappropriately accessed the medical records of 58 other VA employees (and potentially 7 others). The employee in question had previously been reprimanded for two past HIPAA violations. Following the discovery, the individual has not returned to work. Also, bizarrely, an employee who was reported to be “disgruntled with her supervisor” took photographs of patient records using her personal Smartphone. This incident is still being investigated.

The VA reported that 53 veteran authorizations had been lost by the Business Office Service (BOS), resulting in the individuals concerned being offered credit monitoring services.

One major mis-mailing incident occurred as a result of a mail-merge mis-alignment, which saw 408 individuals receive the names and primary care provider of other veterans.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist