- The Department of Veterans Affairs (VA) experienced approximately a 36 percent increase in PHI healthcare data breach incidents during the month of November, according to the agency’s most recent report to Congress.
Although the VA saw an increase in PHI-related incidents, the difference in the total number of healthcare data breaches was negligible, with 648 reported in October and 693 reported in November.
Between October and November, the number of lost or stolen devices and lost PIV cards remained almost exactly the same. In October, there were 49 lost or stolen devices and 47 in November. Similarly, there were 158 lost or stolen PIV cards in October and 156 in November.
There was a slight decrease in the number of mishandled incidents in November, going down from 81 incidents in October to 64 incidents in November. Likewise, there was a slight decrease in mis-mailing incidents this month, with 123 incidents in October and 114 incidents in November.
The VA also includes a few examples of healthcare security cases that occurred this past month.
For example, one mis-mailing incident involved two packages being labeled incorrectly. After one veteran received another veteran’s package, and vice versa, the incidents were reported and new, corrected packages were sent to both veterans. The VA also sent both veterans HIPAA data breach notification letters due to their PHI being disclosed.
The report also details a mishandled incident during which a clinic list was left in a public restroom in a high-traffic location. The VA determined that the list was an 11-page clinic list that encompassed the entire month of October, and included patient names, full Social Security numbers, and procedure details for a total of 285 veterans.
Although the VA reports that the list was printed on November 4 and recovered on November 5, the agency does not believe that it was left in the restroom overnight due to the restroom’s regular maintenance performed by the housekeeping staff.
To remedy the issue, the VA conducted re-education protocol and issued letters offering credit monitoring services to the potentially affected individuals.
The VA also describes one of the 47 incidents of lost or stolen devices for the month of November, detailing one case where a VA Contractor reported a personal laptop stolen. The VA Contractor used this laptop for part of his or her professional duties, thus storing some patient information on it.
Initially, the employee claimed no PHI was included on the laptop. However, because the VA could not confirm the validity of that claim, it labeled this as a data breach. Upon further investigation, the VA determined that no Social Security numbers were included on the laptop, but that some patient names or diagnostic information could have been on it.
Ultimately, the VA found that the potentially disclosed information includes patient names and some medical information for 84 patients. The VA states that it will issue data breach notification letters to those 84 patients.
The VA has been dealing with some other healthcare data security issues within recent months. Back in September, the Office of the Inspector General investigated allegations that the VA Palo Alto Health Care System (PAHCS) had entered into an illegal agreement with tech company Kyron.
OIG found that although it could not confirm the allegations of an agreement between the two entities, employees at Kyron were able to view patient information inappropriately.
“Based on our interviews, review of available documentation and relevant criteria, and our judgment, we determined the Chief of Informatics, who was also the local program manager for the pilot program, failed to ensure Kyron personnel met the appropriate background investigation requirements before granting access to VA patient information,” the report explained. “The Chief of Informatics also failed to ensure Kyron personnel completed VA’s security and privacy awareness training.”
This lack of training was a major issue, according to OIG, because it violated several aspects of the VA patient privacy handbook. Because unauthorized software accessed patient information, health data security and patient privacy were put at significant risk.