VA Privacy and Security Incidents Decreased in October

The Department of Veteran Affairs’ October Information Security Report to congress makes for easier reading than last month’s report, when the personal information of 1,135 veterans were exposed in security incidents. VA privacy and security incidents decreased in October, with 648 veterans affected. Aside from August when just 431 records were exposed, this was the best month for the VA since March 2015.

453 veterans were reported to have had their Protected Health Information exposed as a result of VA privacy and security incidents last month. 285 incidents were serious enough to warrant credit protection services being offered to reduce the risk of harm or loss, and 363 beach notification letters were mailed to veterans.

VA Privacy and Security Incidents Reported in October


Security Incident October 2015 September 2015 Difference Percentage Inc/Dec
Lost/Stolen Devices 49 64 -15 -23.43%
Lost PIV Cards 158 134 +24 +17.91%
Mishandled Incidents 81 115 -34 -29.57%
Mis-Mailed Incidents 123 137 +14 -10.22%
Pharmacy Mis-Mailings 8 5 +3 +60%


The month saw a considerable reduction in the number of mishandling incidents, and also a sizable reduction in the number of mis-mailing incidents and lost/stolen devices; however, there was an increase in the number of lost PIV cards in October.  There were three more pharmacy mis-mailings reported in October than last month; although, since 7,119,592 pharmacy mailings were sent during the month of October the percentage of mis-mailed incidents was very low.

Each month, numerous privacy breaches are caused as a result of errors being made sending information to veterans. One veteran being accidentally given the PHI of another veteran. These common errors are promptly reported and only rarely result in any harm coming to the individuals concerned.

However, this month a number of other privacy and security incidents were uncovered. VACO OI&T in Washington DC discovered it had lost 4 Blackberry devices, two laptops and an iPhone, each of which contained information on patients. The equipment audit also revealed a further 12 items of equipment were also found to be missing, although they were not capable of storing data. The phones were disabled remotely and the laptops were encrypted. It is not clear exactly when the phones were disabled and therefore the length of time PHI was potentially accessible.

A digital camera was reported missing by a Houston, TX nurse. The SD card in the camera contained images of patients’ wounds along with veterans’ last names and the last four digits of their Social Security numbers. Approximately 200 patients were affected by the equipment theft. Under normal circumstances the camera is stored in a locked cabinet, but the camera is understood to have been stolen from a preparatory room. To reduce the probability of data being exposed in similar incidents the staff has been instructed to remove the data from SD cards once information has been transferred to patients’ medical record files.

A serious breach affected 54 veterans in Chicago after a travel log was left on a bus by a driver. The list contained the full names and social security numbers of veterans. As a result of the exposure of their SSNs, all affected veterans were offered credit monitoring services.

Another incident was reported in October that affected 55 Chicago-based veterans. A binder was found by a visitor in an unsecured closet in a construction zone. The information in the binder included patient records dating back to 1991, from three separate hospitals. Credit monitoring services were offered to 17 patients who are still alive, while notifications have been issued to the next of kin of 38 deceased veterans.

In Wichita, KS, an unofficial logbook containing the PHI of 60 veterans was found in the street by an VA employee. The logbook contained patient names, dates of birth, addresses, lab information, and full social security numbers. The log book had apparently been kept by a primary case worker. A few days after the logbook was discovered, additional pages were located in the street detailing the same data elements of a further 7 individuals. All were offered credit monitoring services as a precaution against ID theft and fraud.

So far this year, the personal information of 8,910 veterans has been exposed in VA privacy and security incidents.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.