Veteran HIPAA Breaches Fell by Over a Third in January

A recent report sent from the Department of Veterans Affairs (VA) to congress indicates that HIPAA breaches involving the PHI of veterans have fallen by 35% from December 2014 to January 2015, while the affected individuals fell by 52%.

In December last year, 371 out of 643 veterans affected by a data breach involved HIPAA covered Protected Health Information, while January saw a substantial improvement with only 310 veterans affected by data breaches, of which 242 involved the exposure of PHI.

The data breaches were divided by the VA into four categories: Lost or stolen devices (including laptop computers, PCs and portable storage devices), lost personal identity verification (PIV) cards, mis-mailed incidents (when patients are sent data belonging to other patients) and mishandled incidents, which typically involve the mishandling of two patients records.

Three of the categories saw a significant drop in number of affected veterans, while lost PIV cards remained broadly the same, having only increased 6% from 120 to 127 affected individuals.

The number of veterans affected by lost or stolen devices fell by 12%, mishandled incidents fell by 21% and there was a 22% drop in veterans affected by mis-mailed incidents.

The report cites five examples of data breaches which have affected veterans during January. The report details the nature of the incidents, resolutions and whether any further actions or decisions are required.

Many accidental disclosures occurred due to simple mistakes, such as individuals confusing patient records. This was the case with one of the cited examples. A pharmacist in Madison, WI confused two patents information, resulting in one receiving the appointment list of the other. In this case the matter was swiftly resolved, with the list being retrieved and sent to the correct patient. There were 92 incidents reported in January, the majority of which were of this nature.

Two cases of missing and stolen equipment were cited; one in which two VA laptops, six desktops and a biometric VME Biodrive flash drive were stolen in Wilkes-Barre, PA, although the incident was not understood to have exposed any PHI as the devices were protected by Symantec Endpoint Encryption software. This was one of five IT Equipment Inventory Incidents recorded.

The loss of a stand-alone laptop from a Cheyenne VAMC Community Based Out Patient Clinic (CBOC) was included in the report, as while no PHI was exposed and access to VA systems not possible, the device has not as of yet been recovered.

The majority of incidents involved the mishandling of data, with 118 incidents occurring during the month. One case was cited in which two patients with the same surname were accidentally mailed each other’s information. 117 similar incidents were also reported throughout the month.

There were just 7 mis-mailed Consolidated Mail Outpatient Pharmacy (CMOP) incidents out of a total of 10,232,524 total prescriptions (7,189,315 packages) where patients had been mailed incorrect prescriptions.

In all cases where PHI was exposed or privacy compromised, the affected individuals have been notified and offered credit protection services for 1 year without charge, if it was deemed appropriate.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.