Healthcare Information Security

News

VA Q2 Report Shows Increase in Data Breach Notification

- The Department of Veteran’s Affairs (VA) released its Q2 report to Congress and is seeing a 12.2 percent increase in the number of data breach notification letters being sent out to veterans.

VA sends data breach notification in Q2 report

In the Q2 report, the VA reported a total of 1,039 notification letters sent, while in Q1 the VA reported 926 notification letters sent.

However, the VA reported a large decrease in the number of credit protection letters sent. In the second quarter, there were 934 credit protection letters sent, while in the first quarter there were 9,200 credit protection letters sent, making a 89.8 percent decrease in Q2.

Along with the second quarterly report, the VA sent its June update to Congress on reported PHI incidents. In the report, the VA reported that out of the 2,076 veterans affected by reported events, 935 of them were PHI incidents. This is a 159 percent increase from May’s report of 361 PHI incidents.

The 2,076 reported June incidents included 43 lost or stolen devices, which was a 28 percent decrease from the 60 stolen or missing devices in May. In June there were also 143 lost PIV cards and 104 mishandled incidents, both numbers on par with May’s 134 missing PIV cards and 100 mishandled incidents.

The month of June also had 183 mis-mailing incidents, which is a slight increase from May’s 162 total mis-mailing incidents. In both May and June there were 22 pharmacy mis-mailings reported. However, in May the VA only had 6.6 million total mailings, while in June there were approximately 7.3 total mailings, showing fewer mis-mailings per mailed letter for that month.

The report also included a description of one of the pharmacy-tied mis-mailed items.

In this case, 121 veterans received Medline Industries medical supplies in the mail intended for 121 different veterans, according to the report. As a result of the incident, the names, addresses and medical supplies needs of the veterans were disclosed with the other 121 veterans.

Although the incident was quickly reported and replacement supplies were sent out, this incident did serve as the catalyst for Medline Industries shipping and packing changes, says the report.

Due to the volume of pharmacy mis-mailings and the repetition of their reports, this was the only mis-mailing incident described in the June report.

Another incident, which included lost or stolen devices, involved an unencrypted iPad. According to the report, the iPad was reported missing after its owner transferred between offices.

Because the iPad contained no VA information, and had in fact never been used since it was issued to the owner, the DBCT concluded that this was not a breach of data. The report states that the owner of the iPad has received counseling for the stolen device and that the incident has been included on the report because it involves missing unencrypted equipment. 

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks