Veterans Affairs sees 158% increase in data breaches
HIM-HIPAA Insider, June 15, 2015
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
Data breaches at the Department of Veterans Affairs (VA) took a sharp increase in April 2015, exposing the PHI of 738 veterans, according to the VA’s latest information security activity report released earlier in June. The report also shows a significant reduction in the number of blocked or contained threats.
In total, 987 veterans were affected in incidents identified by the VA in April, representing a 158% increase from the previous month. In March, just 383 veterans were affected by data breaches. That number had been falling steadily month-over-month until April.
The monthly data report, which is presented to Congress, did not offer explanation for the uptick in incidents other than to break down breaches by type and include narratives of each investigation. The report also noted the VA notified 398 veterans of breaches and offered credit protection services to 589 veterans in April.
The main source of the increased breaches appears to be paper mis-mailings. The VA reported 204 in April compared to 165 in March. Several other types of incidents marginally increased or decreased.
April
- Lost and stolen devices: 47
- Lost PIV cards: 144
- Mishandled incidents: 112
- Mis-mailed incidents: 204
- Pharmacy-item mis-mailings: 3
March
- Lost and stolen devices: 50
- Lost PIV cards: 154
- Mishandled incidents: 105
- Mis-mailed incidents: 165
- Pharmacy-item mis-mailings: 7
The largest single data breach reported in April, however, was the mishandling of files on 358 veterans at the VA Long Beach Healthcare System campus in California. The incident was discovered April 16 when a veteran, who was throwing away trash, found the files tossed in a dumpster on campus. He retrieved them and saw they contained Social Security numbers, birthdates, home addresses, and other private information on veterans.
The files were dated 2007 through 2011, and apparently originated from the campus patient business office, according to the investigation notes included in the April report. The veteran notified VA police, who took possession of the files. The privacy officer was also notified.
The veteran who found the files then posted a message about it on his personal Facebook page, generating numerous comments and shares by other users. That spawned additional posts to the hospitals’ Facebook page.
Investigators determined employees unknowingly left the files behind when they moved out of the accounts receivable office to a new facility. Contractors were hired to move the office furniture and found the documents, which they evidently just tossed in the dumpster.
The VA police inventoried the documents and determined all 358 files contained veterans’ Social Security numbers. They noted, however, there was no way to determine whether any files were missing. The VA mailed 77 notification letters to families of deceased veterans and offered credit protection services to 220 veterans.
In another incident, transit applications were mailed to the VBA Central Office in Washington, D.C., for processing and then misplaced in the mail intake center. The documents were not found and contained full names, phone numbers, addresses and the last four digits of Social Security numbers for 173 employees. Those victims were notified of the loss once it was determined to meet the criteria for a data breach.
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
Related Products
Most Popular
- Articles
-
- Don't forget the three checks in medication administration
- Residency coordinators’ responsibilities
- RPA Subscriber Exclusive: February issue of Residency Program Alert now available
- Study: Shorter shifts reduces residents’ attentional failures
- Practice the six rights of medication administration
- Editor’s note
- Nursing responsibilities for managing pain
- The consequences of an incomplete medical record
- Prevent dehydration with nursing interventions
- Q&A: Primary, principal, and secondary diagnoses
- E-mailed
-
- White Paper: Postacute CDI: An Introduction to Long-Term Acute Care Hospitals
- Use modifiers -59, -91 to "explain" duplicate codes
- Tim Porter-O'Grady sounds off
- Q: Can you clarify the reporting of dates on the plan of care for diagnosis onset and exacerbation?
- ICD-10-CM coma, stroke codes require more specific documentation
- Fracture coding in ICD-10-CM requires greater specificity
- Eight tips to improve MRI throughput
- Searched