- The Department of Veterans Affairs (VA) saw a significant improvement in health data breaches for the month of October. The agency’s monthly report to Congress shows a 50 percent decrease in PHI-related incidents compared to the September report.
In total, 648 veterans were affected by some sort of health IT security incident over the past month, a near 40 percent decrease from the 1,135 affected individuals in September. The VA also reports a decrease in lost or stolen devices from 64 to 49, and a decrease in mishandled incidents from 115 to 81.
From September to October, the number of lost or stolen PIV cards and mis-mailing incidents stayed relatively consistent.
The VA also detailed several of the specific incidents that occurred throughout the past month. One of the mis-mailing incidents, for example, involved a letter which was placed into the wrong envelope, resulting in one veteran seeing the PHI of another veteran. The letter was returned to the Community Based Outpatient Clinic, and the second veteran received a HIPAA notification letter due to his or her PHI being disclosed.
There was also a case involving a mis-mailed pharmacy package. One patient received another’s pharmacy package, disclosing the second patient’s name and medication type. This incident was determined a Consolidated Mail Outpatient Pharmacy (CMOP) packaging error. The CMOP employee responsible for the error was counseled and retrained in proper packing, and the second patient has been issued a HIPAA notification letter. This was one of the 8 reported events out of the 7,119,592 total package mis-mailings for the month.
Several other instances were recounted in the report, including those about lost or missing devices. For example, a nurse reported a missing digital camera that was used to photograph wounds in a VA wound clinic. The SD card in the camera also documented and stored patient names and the last four digits of Social Security numbers. Although the camera was typically stored in a locked cabinet, it may have been left in one of the clinic’s preparatory rooms.
As of October 20, the camera still had not been found, so the VA Police were contacted. Due to the PHI that may have been potentially exposed on the camera, the VA has issued HIPAA notification letters to all potentially affected individuals.
The VA also explained an open case for a mishandling incident. A VA employee began working from his or her Virginia home remotely, and took paper copies of some patient records to do so. The VA states that it will issue more information once the investigation is more complete, but currently the VA is determining:
The number of individuals potentially affected
Whether the employee tried to gain authorization to remove the paper documents
How the paper documents were secured in his or her home
Who may have seen or had access to these documents
What the current state of the documents is
Another mishandling incident involved one veteran receiving another’s appointment list. The veteran shredded the document, and the document was not returned to the VA facility. As a result, the second veteran will receive a HIPAA notification letter. The staff responsible for the incident will also be re-educated about distributing patient appointment lists.