- In its March report to Congress, the Department of Veteran’s Affairs (VA) has witnessed a 41 percent decrease in the total number of veterans affected by a potential PHI data breach since February.
The report revealed that there were 417 veterans affected by a possible PHI-related healthcare data breach, which was significantly lower than the reported 707 veterans in February.
According to the March report, there was also a 36 percent decrease in total number of veterans affected by all reported security incidents.
In total, there were 522 veterans potentially affected by a data security event in March. Out of the total number of veterans affected, 288 were notified and 234 were offered credit protections services.
In contrast, the February report showed that 817 veterans were affected by a reported data security incident, which marked the highest number of veterans affected so far in 2016.
Despite a decrease in the number of veterans affected by healthcare data breaches and other reported security incidents, there was a slight increase in total reported events in March.
The VA revealed that there were 462 reported events in March, which represented a negligible increase from 434 reported incidents in February.
Out of the total number of reported data security events in March, 54 involved lost and stolen devices while 172 were caused by lost PIV cards. Compared to February, there were more cases of lost or stolen items.
Specifically, the February report showed 43 lost and stolen devices and 154 lost PIV cards.
There was also a slight increase in the number of mis-mailings. In March, the VA stated that there were 147 mis-mailings, which was modestly higher than the 131 reported in February.
However, the number of reported mishandled incidents decreased slightly, as March saw 89 reported mishandled events.
Additionally, the VA shared some representative cases of the potential data breaches that occurred last month.
One of the largest incidents that happened was reported on March 2 and it was classified as a mishandled incident. An estimated 141 veterans were notified of a potential healthcare data breach and 70 were offered credit protection services.
In this situation, a briefcase was stolen from a physician’s locked vehicle in late February. The briefcase contained two lists of patient names.
The first list was created for use at the VA Stand Down, and it identified 141 veterans by first initial, last name, and the last four digits of their Social Security number. The list also contained current statuses of Primary Care Services consults and which Primary Care groups the veterans was assigned to. The VA confirmed that medical information and dates of birth were not included.
The second list contained information on 70 veterans involved in the provider’s panel on opioids. The information that was possibly disclosed included names, Social Security numbers, dates of birth, opioid prescription nomenclatures, and order histories of the prescriptions.
The VA notified the police, the Privacy Officer, and the Information Security Officer of the potential healthcare data breach.
Another reported security incident affected one veteran after a pharmacy mis-mailing occurred in Tennessee.
A patient received a prescription intended for another individual after a packaging error at a local pharmacy. The individual’s PHI, including name and type of medication, was potentially at risk. The patient who received the wrong medicine contacted the medical center and a replacement prescription was requested for the other individual.
After an investigation, the local pharmacy provided additional training in packing procedures for the employee at fault.
The March report stated that there were two other pharmacy mis-mailings and all veterans who were possibly affected received a HIPAA notification letter.