VA Monthly Information Security Report Shows Fall in Breach Victims in March

The Department of Veteran Affairs has sent its monthly report to Congress detailing the information security incidents affecting VA facilities in March, 2016.

522 veterans were impacted by security incidents in March, 417 of which had their protected health information compromised. This month’s report shows a substantial reduction in breach victims. In February, 707 veterans had their PHI exposed and 817 security incidents were reported.

While the breach victim count was considerably lower in March, the VA report shows an increase in the number of lost PIV cards, lost and stolen device incidents, and mis-mailed incidents. Only mishandled incidents and pharmacy mis-mailings fell in March.

The VA had 54 lost/stolen device incidents compared to 43 in February. There were 172 lost PIV cards compared to 154 in February, and 147 mis-mailed incidents: 16 more than the previous month. Mishandled incidents fell from 106 to 89 in March, and only 3 pharmacy mis-mailings occurred. 5 fewer than February.

There was only one major security incident reported in March, which impacted 211 veterans in the Seattle area. A physician employed by VISN 20 left a briefcase containing two lists of patients in a vehicle overnight. A thief smashed the windows of the car and stole the briefcase and other contents of the vehicle during the night of February 28.

Inside the briefcase were two patient lists. The first list was produced for the VA Stand Down and contained veterans’ initial, last name, status of Primary Care Service consults, the Primary Care Group that the veterans’ consults belonged to, and the last four digits of veterans’ Social Security numbers. 141 veterans were identified on the list.

The second list contained details of 70 patients in the provider’s panel that were being prescribed opioids. This list contained sensitive information including full names, full Social Security numbers, dates of birth, opioid prescription nomenclature, and the last date that medication had been prescribed. Due to the sensitivity of the data contained in the second list the VA has offered credit monitoring services to affected veterans for a period of one year without charge. The other 141 veterans impacted by this security incident only received breach notification letters.

Quarter 1 Information Security Incidents Reported by the Department of Veteran Affairs


Incident Type Quarter 1, 2015 Quarter 1, 2016 Difference % Change
Lost and Stolen Device Incidents 131 143 +12 +9.16%
Lost PIV Cards 421 480 +59 +14.01%
Mishandled Incidents 315 316 +1 +0.32%
Mis-mailed Incidents 426 419 -7 -1.64%
Total Veterans Affected 1,584 1,907 +323 +20.39%
Number PHI Incidents 1,277 1,360 +83 +6.5%

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.