HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

February Information Security Report Released by VA

The Department of Veteran Affairs (VA) may have suffered fewer security incidents in February; however, the number of veterans affected was significantly higher than January. There was also a major increase in the number of veterans who had their PHI exposed.

In January, the VA reported that 568 individuals had been affected by security incidents, with 236 having their protected health information exposed. In February, the breach victim count increased to 817 – an increase of 44% – with 707 having had their PHI exposed – an increase of almost 200% month on month. As a result of those data breaches, the VA provided credit monitoring services to 245 veterans – 57 fewer than in January.

The number of incidents involving lost and stolen devices fell slightly from 46 incidents in January to 43 incidents in February. The number of lost PIV cards was unchanged, with 46 reported in both January and February. The VA reported a reduction in mishandled incidents and mis-mailed incidents. In January there were 121 reported mishandled incidents, with 106 reported in February. Mis-mailed incidents fell from 141 to 131 month on month, with pharmacy mis-mailings also falling. There were 10 reported pharmacy mis-mailings in January and 8 in February.

Notable VA Information Security Incidents Reported in February


The majority of incidents suffered were minor and affected just one or two veterans. These were typically veteran A receiving data or medications that should have been sent to patient B. In each case the affected veterans received a HIPAA breach notification letter explaining the nature of the privacy breach, and credit monitoring services were offered if particularly sensitive data were accidentally exposed. The VA also reported that two desktop computers were discovered to be missing, although both were encrypted.

Please see the HIPAA Journal Privacy Policy

A major mishandling incident occurred in February resulting in the potential exposure of 373 veterans’ protected health information.

The incident affected the VA Midwest Health Care Network (VISN 23) in Minnesota. A member of the VA staff conducted a series of group meetings relating to the Mental Health (MH) Outcome Management Program. The data collected in the veterans’ assessments were recorded and were supposed to be entered into veterans’ charts. Four assessments were completed per veteran.

However, the data went missing before it was recorded into veterans’ charts. The employee in question was questioned about the missing data but was unable to shed any light on the whereabouts of the missing reports. There is a possibility that the information was shredded, but the data could also have been lost and potentially has been viewed by an unauthorized individual.

The information contained in the reports included veterans’ last name together with the last four digits of their Social Security numbers. Additionally, the answers to veterans’ multiple choice assessments are missing. Those assessments included details about veterans’ mental health issues, including depression and anxiety, and answers to questions relating to addiction monitoring. Posttraumatic Checklists, University of Rhode Island Change Assessment (URICA) data and Veterans’ Behavior and Symptom Identification Scale (Basis 32) were also lost. Affected veterans have been notified of the privacy breach by mail.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.