Health Information Management

Veterans Affairs sees 158% increase in data breaches

HIM-HIPAA Insider, June 15, 2015

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

by John Castellucio, Editor

Data breaches at the Department of Veterans Affairs (VA) took a sharp increase in April 2015, exposing the PHI of 738 veterans, according to the VA’s latest information security activity report released earlier in June. The report also shows a significant reduction in the number of blocked or contained threats.
 
In total, 987 veterans were affected in incidents identified by the VA in April, representing a 158% increase from the previous month. In March, just 383 veterans were affected by data breaches. That number had been falling steadily month-over-month until April.
 
The monthly data report, which is presented to Congress, did not offer explanation for the uptick in incidents other than to break down breaches by type and include narratives of each investigation. The report also noted the VA notified 398 veterans of breaches and offered credit protection services to 589 veterans in April.
 
The main source of the increased breaches appears to be paper mis-mailings. The VA reported 204 in April compared to 165 in March. Several other types of incidents marginally increased or decreased.
 
April
  • Lost and stolen devices: 47
  • Lost PIV cards: 144
  • Mishandled incidents: 112
  • Mis-mailed incidents: 204
  • Pharmacy-item mis-mailings: 3
 
March
  • Lost and stolen devices: 50
  • Lost PIV cards: 154
  • Mishandled incidents: 105
  • Mis-mailed incidents: 165
  • Pharmacy-item mis-mailings: 7
 
The largest single data breach reported in April, however, was the mishandling of files on 358 veterans at the VA Long Beach Healthcare System campus in California. The incident was discovered April 16 when a veteran, who was throwing away trash, found the files tossed in a dumpster on campus. He retrieved them and saw they contained Social Security numbers, birthdates, home addresses, and other private information on veterans.
 
The files were dated 2007 through 2011, and apparently originated from the campus patient business office, according to the investigation notes included in the April report. The veteran notified VA police, who took possession of the files. The privacy officer was also notified.
 
The veteran who found the files then posted a message about it on his personal Facebook page, generating numerous comments and shares by other users. That spawned additional posts to the hospitals’ Facebook page.
 
Investigators determined employees unknowingly left the files behind when they moved out of the accounts receivable office to a new facility. Contractors were hired to move the office furniture and found the documents, which they evidently just tossed in the dumpster.
 
The VA police inventoried the documents and determined all 358 files contained veterans’ Social Security numbers. They noted, however, there was no way to determine whether any files were missing. The VA mailed 77 notification letters to families of deceased veterans and offered credit protection services to 220 veterans. 
 

In another incident, transit applications were mailed to the VBA Central Office in Washington, D.C., for processing and then misplaced in the mail intake center. The documents were not found and contained full names, phone numbers, addresses and the last four digits of Social Security numbers for 173 employees. Those victims were notified of the loss once it was determined to meet the criteria for a data breach.



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs

  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular