September VA Information Security Report Shows Increase in Privacy Incidents

Each month the Department of Veteran Affairs issues an Information Security Report to congress, in which it details the privacy and security incidents that have affected U.S veterans during the month.

The past two months have seen privacy incidents fall, with the August figures the lowest since January. However, the report for September has seen the trend reversed, with a substantial increase in both incidents and the number of individuals affected. In total, 455 separate privacy/security incidents were reported during the month.

The VA reported 1,135 veterans were affected by security breaches in the month of September, which resulted in 739 breach notification letters being issued and 396 individuals placed at a high enough level of risk of identity theft and fraud to warrant the provision of credit protection services. In August, only 431 individuals were affected by privacy and security incidents.

In fact, September was the second worst month so far this year, with only June seeing more veterans affected (2076). This is only the fourth month that has seen the number of affected veterans rise above the 1,000 mark.  In total, 8,162 individuals have now had their personal information disclosed or exposed in 2015.

September Privacy and Security Incidents

Security Incident September 2015 August 2015 Difference
Lost/Stolen Devices 64 47 +17
Lost PIV Cards 134 117 +17
Mishandled Incidents 115 84 +31
Mis-Mailed Incidents 137 148 +11
Pharmacy Mis-Mailings 5 1 +4


The report also provides information on attempted intrusions and malware infections that were blocked or contained. In September, 200,384,851 intrusion attempts were blocked – 34,826 fewer than August – 94,664,365 suspicious/malicious emails were blocked – 3,963,794 less than last month, and 540,486,893 pieces of malware were contained or blocked – 3,963,794 fewer than the previous month. In August, 3 devices were infected with malware, with only one reported – and contained – in September.

Privacy and Security Incidents Reported in September


The report contains examples of the incidents that were reported during the month, many of which are similar in nature – i.e. Patient A was accidently mailed information for Patient B. However, one incident resulted in a patient receiving a compact disc containing the full medical records of 70 other veterans. The person in question realized the error and returned the compact disc to VAPSHCS.  There is not believed to be any risk of harm, but all concerned have been offered credit protection services as a precaution.

Some other incidents of note, which were out of the ordinary, included:

A well intentioned message posted on an online obituary of a veteran, resulting in the disclosure of sensitive information. A VA employee had posed the following comment “It is with deepest regret to hear of Mr. XX passing, he left an impression on the mental health department and staff with smiles and memories,” the privacy violation being the disclosure of the fact that the patient had suffered a mental illness.

A briefcase of an HUD-VASH Case Manager containing 50 VA names, their contact information and last four digits of their social security numbers was stolen.

In a similar incident to one reported last month, an IT inventory revealed a number of lost devices. The number of pieces of equipment were discovered to be missing was not specified, although the VA did confirm that all devices were encrypted, so no PHI was exposed.

One case of inappropriate accessing of VA records was discovered following an internal inspection, which revealed that the employee in question had inappropriately accessed the medical records of 58 other VA employees (and potentially 7 others). The employee in question had previously been reprimanded for two past HIPAA violations. Following the discovery, the individual has not returned to work. Also, bizarrely, an employee who was reported to be “disgruntled with her supervisor” took photographs of patient records using her personal Smartphone. This incident is still being investigated.

The VA reported that 53 veteran authorizations had been lost by the Business Office Service (BOS), resulting in the individuals concerned being offered credit monitoring services.

One major mis-mailing incident occurred as a result of a mail-merge mis-alignment, which saw 408 individuals receive the names and primary care provider of other veterans.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.