Healthcare Information Security

Patient Privacy News

PHI Incidents Decrease 34 Percent in January for VA

By Elizabeth Snell

- The number of PHI incidents affecting veterans decreased by 34 percent from December 2014 to January 2015, according to the latest report from the Department of Veterans Affairs (VA). The VA’s most recent data report sent to Congress found that in January, 310 veterans in total were affected by a data breach. Of those, 242 were in relation to PHI incidents.

In December, the VA had 643 veterans affected by a data breach. Of those instances, 371 considered PHI-related incidents.

The VA uses four categories to describe the data breach causes:

  • Lost and stolen device
  • Lost personal identity verification (PIV) card
  • Mishandled incidents
  • Mis-mailed incidents

In January, three of those categories saw a decrease in incidents. The largest drop was in mishandled incidents, which decreased by 24 in the one-month period. A total of 45 data breaches were tied to a lost or stolen device, which is a decrease from the 51 reported in December. Finally, mis-mailed incidents dropped by 17 incidents from December to January, according to the VA.

Lost PIV cards saw a slight increase, rising from 120 data breach incidents in December to 127 in January.

One of the mishandled incidents involved a pharmacist who confused two veterans’ names. One patient was then given the incorrect appointment list.

“Staff have been reminded to verify Veteran information before disclosing it outside of VHA, whether to a Veteran or to another entity,” the report stated. “Additionally, it was recommended that they complete actions for one Veteran prior to processing another as working with information from multiple Veterans increases the risk of accidental disclosure.”

Potentially affected veterans will receive a notification letter and/or credit monitoring will be offered if appropriate in all 92 mishandled incidents, according to the VA report.

Another example given in the report was of a lost, or possibly stolen, device. The case took place in Cheyenne, Wyoming and was first opened on Jan. 8. A Cheyenne VAMC Community Based Out Patient Clinic (CBOC) employee reported that an unencrypted laptop was missing. The only application on the device was called “TruthPoint,” which is a survey that is given to veterans after they are seen at CBOC.

“The laptop does not connect to the VA network,” the report stated. “A connection is made using a Verizon Wireless MiFi. At no time is there any PHI/PII on this machine. VA Police are conducting an investigation and has notified the OIG of the missing hardware.”

Even though there was no PHI on the laptop, the report said that the Contracting Officer’s Representatives (COR) of the program were instructed to order cable locks for these devices in order to prevent future issues.

The decrease in PHI incidents is seemingly part of a larger trend for the VA. There was also a decrease in such data breaches from 2014 Q4 to 2015 Q1. Specifically, 926 notification letters were sent to veterans from Oct. 1 2014 to Dec. 31, 2014, a drop from the 6,760 letters about potential data breaches sent out in the previous quarter.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks