In its December monthly report to Congress, the Department of Veteran’s Affairs (VA) has reported a near 61 percent decrease in PHI-related healthcare data breaches since November. This is a welcomed change to last month’s 36 percent increase in PHI-related healthcare data breaches.
According to the report, December saw only 240 PHI-related healthcare data breaches compared to November’s 616. Consequently, the number of potentially affected individuals also dropped from November to December, with the VA reporting only 394 affected veterans in December and 693 reported in November.
Although there was a significant decrease in the number of PHI-related healthcare data breaches this month, the VA did have to send more data breach notification letters to VA patients. However, the VA did not need to provide as many free credit monitoring services, indicating that potentially less sensitive financial information such as Social Security numbers were disclosed this month.
That said, the breakdown of reported events remained relatively consistent. In both November and December the VA reported 47 lost or stolen device incidents. There were slightly fewer lost or stolen PIV cards in December, as well as a modest uptick in the number of mishandled incidents and mis-mailings.
In December there were 78 mishandled incidents and 169 paper mis-mailings. Additionally, there were 3 pharmacy mis-mailings in December.
As usual, the VA also documented a few representative cases which occurred throughout the month.
One such incident entailed an inventory report which accounted for a few missing items. However, the Data Breach Response Service found that no data breach had occurred and no VA health information had been breached.
The month of December also saw the typical mis-mailing incident, where a veteran receives the wrong results in the mail.
For example, in one reported December incident, Veteran A received Veteran B’s lab results in mail correspondence between himself and his primary care provider. He alerted his Privacy Officer who then asked Veteran A to return the lab results. Veteran B received a data breach notification letter per HIPAA regulations.
Additionally, mailing staff received additional training to help prevent future similar incidents.
There were also a few reported mishandled incidents throughout the month.
For example, a member of the housekeeping staff reportedly found a file containing documents with 58 VA patient names and Social Security numbers. In one case, a copy of a patient’s EKG report containing full name, Social Security number, date of birth, and EKG date were left at an old ICU desk.
Upon investigation, the VA found that there was no way to determine who was responsible for this breach. Employees have received further privacy education. Additionally, the 58 potentially affected individuals were provided with HIPAA data breach notification letters and were given free credit monitoring services.