HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

VA Information Security Report for January Released

The Department of Veteran Affairs has released its monthly report to congress detailing the privacy and security incidents reported in January, 2016.

44% more veterans were affected by privacy and security incidents in January 2016 than in December last year. 568 individuals were affected in January, resulting in 271 notification letters being sent. 297 individuals were offered credit protection services to mitigate risk after their personal information was accidentally disclosed. Breaches of protected health information fell slightly month on month. In December, 240 veterans’ PHI was exposed. 236 veterans had their PHI exposed or disclosed last month.

The number of lost and stolen device incidents was virtually unchanged with 46 incidents reported in January compared to 47 in December, while the number of mis-mailed incidents fell by 17% with 141 incidents reported this month compared to 169 in December.

There was an 18% increase in the number of lost PIV cards with 154 cards reported lost in January, and a 55% increase in the number of mishandled incidents with 121 incidents reported in the month of January. Pharmacy mis-mailings also increased from 3 in December 2015 to 10 in January 2016.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

VA Security Incidents Reported in January 2016

Each month a number of privacy violations occur involving in one veteran receiving the medical records of another veteran as a result of a mailing error or mishandling incident. Patients also occasionally receive the prescription of another veteran. In each case, the individual member of staff concerned is advised of the mistake and is educated on correct procedures. In the majority of cases no further action is necessary and minimal harm is caused to the affected veterans.

In January, there were two major privacy incidents reported. A mailing error was reported to VISN 12 in Hines IL., by a veteran who had received a document containing the names and addresses of other veterans who had been prescribed the same medication has him. The secretary for Nutrition and Food Services had received incorrect information that resulted in veterans being mailed flyers intended for other veterans.

The mailings were sent to notify veterans that another company would be providing their medications, however, multiple flyers were accidentally placed in each envelope. In total, 84 individuals had their names and details of their medications disclosed to another individual. One incident involved a veteran receiving flyers intended for 14 other individuals.

Another major incident was reported involving VISN 12. In Chicago IL., the personal data of 97 veterans were accidentally disclosed to an unauthorized individual. A Program Application Specialist (PAS) clerk was working with a document containing veteran data when she was visited by a veteran. The document was immediately turned over to prevent the information being viewed; however, the veteran placed a laptop computer on top of the document. When the veteran picked up the laptop computer after the enquiry had been dealt with, he also took the document with him.

The veteran in question could not be contacted by the management and the document was not retrieved. All 97 individuals were offered credit monitoring protection services to mitigate risk of loss or harm.

An equipment inventory performed by VISN 20 in Anchorage revealed three desktop computers had gone missing over the course of the past year. An investigation conducted by IT staff did not result in the computers being located. No veteran data were exposed as the computers were protected by encryption. Two other equipment inventory incidents were reported. Veteran data were also not exposed as the devices were encrypted.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.