Share this article on:
The Department of Veteran Affairs has released its monthly report to congress summarizing the information security incidents suffered by VA hospitals and clinics in December 2015.
December 2015 VA Information Security Report
September 2015 was a bad month for the Department of Veteran Affairs (VA), with 1,135 veterans affected by privacy breaches. The total fell substantially in October 2015, with 648 affected veterans, although that figure rose to 693 in November. The figures for December 2015 show a marked improvement month on month with only 394 veterans affected. That makes December the best month for the VA since March 2015, and the fourth best month of the year for privacy violations in terms of the number of individuals affected.
While the victim count improved last month, the number of privacy and security incidents suffered actually increased.
Fewer Lost PIV Cards but More Mishandled and Mis-mailed Incidents
The number of lost and stolen device incidents was unchanged month on month, with 47 incidents reported in both November and December. December saw the number of lost PIV cards decrease by 16%, from 156 incidents in November to 131 incidents in December.
However, there was a 17% increase in the number of mishandled incidents, jumping from 64 in November to 78 in December. Mis-mailed incidents also increased, jumping from 114 in November to 169 in December; an increase of 48% month on month.
There was a small increase in the number of pharmacy mis-mailings. 3 incidents were reported in December compared to just the one incident in November.
December information security incidents required 181 breach notification letters to be mailed to veterans, and 213 veterans were offered credit protection services to mitigate the risk of financial harm as a result of the exposure of their personal information.
VA Privacy and Security Incidents Reported in December 2015
Many of the incidents reported were relatively minor involving the personal information of one veteran being disclosed to another individual in error. The sending of a prescription to an incorrect patient for example. In December, the number of mis-mailed incidents of this nature was relatively low, with just three reported errors of this nature out of 6,991,142 packages sent.
The sending of lab test results to incorrect veterans continues to be a problem. Numerous privacy incidents of this nature are suffered each month. A total of 169 mis-mailed incidents were reported in December involving medical information such as lab test results being sent to incorrect individuals.
78 mishandling incidents were reported, although only one was detailed in the report, which involved a consult being sent to one veteran with the personal information of another veteran.
The most serious privacy violation detailed in the report affected 58 veterans and warranted them being offered credit monitoring services due to the nature of data exposed. The incident occurred on December 7, and involved documents containing veterans’ names, Social Security numbers, dates of birth, and EKG dates being left unprotected at an “old ICU” desk of a Seattle facility by a housekeeping employee. The documents were recovered, but there is no telling whether the information contained in the documents had been accessed during the time that they were left unsecured.