VA: PHI Incidents Fall in July; Breach Notification Letters Increase

The Department of Veteran Affairs has issued its July and Q3 data security report to congress, indicating there were fewer Protected Health Information (PHI) exposures in the month of July than June, with fewer breach victims created. However, the total number of security incidents – and the number of individuals affected by those incidents – have been steadily rising throughout the year.

The July report shows fewer individuals were affected by data breaches. In June, the VA reported 2,076 individuals had been affected by data breaches. The July figures are much improved, with only 1,031 individuals affected. There was also a reported fall in PHI incidents, which affected 872 individuals in July compared to 935 individuals in June. Even with that reduction, more breach notification letters were sent out in July than the previous month – 779 letters in July compared to 543 notification letters in June.

Lost and Stolen Device Reports Increase


Lost and stolen devices are still a leading cause of data exposure. In the month of July, the VA reported 56 security incidents involving lost or stolen devices; an increase of 30% from the previous month. Mis-mailing incidents fell slightly from 183 to 158.

Pharmacy mis-mailings regularly feature on the report. The number of mailing errors is miniscule compared to the 7.3 million prescriptions that are written, although each month errors are made. In June the VA reported 22 pharmacy mis-mailings incidents, with July showing a slight increase to 27 reported incidents. Mis-handling incidents also increased from 104 in June to 111 in July.

Malware Attacks are a Growing Concern


The VA monthly data security report details the number of security incidents that resulted in the exposure of veteran data, but also the number of attacks that the VA has prevented. The figures from June and July are similar, although the number of malware threats resisted during the month increased considerably. The June figures showed a total of 680,233,603 malware attacks that had been prevented. By the end of July the figure had risen to 791,111,239.

Quarterly Figures Show Worrying Trend


The figures for July do show a slight decrease in security incidents; however the figures for the quarter tell a different story. Over the course of the year, the number of security incidents and breach victim total has risen steadily. In the first quarter of 2015, 926 breach notification letters were dispatched. In Quarter 2 the figure was 1,039, while the figures for quarter were 2,590.

Examples of Security Incidents


Each monthly security report includes examples of incidents affecting veterans. The incidents reported are usually very similar: Patient A is given the medical results of Patient B, for example. When these incidents occur, they are usually identified and rectified promptly.

For July, the VA detailed six incidents. One patient received an after-visit summary note relating to another patient; a provider referral was sent to an incorrect patient, and a prescription error was cited in which a patient received a prescription containing the name and medication of a different patient. Numerous incidents of this nature were reported in July.

However, three incidents reported were atypical. One incident involved a dental student who tore pages out of a prep manual which contained patient names, the last 4 digits of their Social Security numbers, and details of the dental procedures performed. The student claimed the information was removed and sent for destruction – placed in the burn bin – however, after an investigation, the information was not located. 89 individuals were believed to have potentially had their privacy violated.

An incident was also listed in which an employee used a Veteran Association Outlook email account to send information outside the VA network, resulting in the potential exposure of 391 veteran records.

The final listing involved the theft of a personal laptop computer used to access the VA system. The device was left in a vehicle from where it was stolen. The investigation revealed that no information had been downloaded onto the laptop, although access to data was possible. The incident has been contained, and the hard drive has been set to be remotely erased.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.