- After a less than ideal April in terms of PHI incidents, the Department of Veterans Affairs (VA) reported that it had a 51 percent decrease in that type of data breach in May.
The VA’s May report sent to Congress showed that PHI incidents began to drop from May 1 to May 31. In April, the VA reported 738 incidents in relation to PHI, while May saw 361 PHI incidents. Of the total number of veterans affected by incidents in May, approximately 35 percent were in relation to PHI incidents. Specifically, 1,018 veterans were affected last month, with 361 tied to PHI.
Of the reported May incidents, 60 were attributed to lost or stolen devices, which is a slight increase from April where 47 incidents were due to the same cause. Lost PIV cards were the reason for 134 incidents, the VA stated, which is comparable to April when 144 lost PIV card instances were reported.
May saw a decrease in paper mis-mailing incidents though, with 162 reported cases, while April had 204 such incidents.
There was also a slight decrease in mis-handled incidents in May, with 100 such cases being documented. In April, the VA reported 112 mis-handled incidents.
While there was a seemingly large increase in pharmacy item mis-mailings, increasing from three incidents in April to 22 in May, that number is less significant when compared to the total number of pharmacy mailings. In May, the VA reported 22 pharmacy mis-mailings out of 6.6 million total. For April, there were seven incidents out of approximately 7.4 million mailings.
The VA report described several incidents that were reported in May. One such incident did not lead to a data breach of sensitive information, but it dead cause the VA to alter some of its instructions with tablets.
According to the report, the Information Security Officer (ISO) and Fiscal Department were notified on May 13 that a tablet belonging to the Women's Health Project was mailed to the wrong Community Based Outpatient Clinic (CBOC) location. The tablet could not be found after March 30 and was unencrypted. However, it did not contain any sensitive VA data and was not connected to the VA network.
Even so, the VA reported that going forward, tablets will have “labels on them warning users not to enter or store any sensitive information on them. Also, users will be reinstructed to contact the ISO as soon as one is known to be missing.”
One of the mis-handled incidents involved sensitive information being emailed to the wrong recipient.
“A Vocational Rehabilitation and Employment (VR&E) employee emailed 508 Veteran names and SSNs incorrectly to an outside entity,” the report stated. “The information was on a spreadsheet. The individual who received the information was a Veteran who was a client of the VR&E employee.”
The 508 individuals potentially affected will be offered credit monitoring services, the VA explained, and the employee will be “counseled.”
To read the entire VA May report to Congress, click here.