March seems to have been a relatively quiet month for the Veterans Administration in terms of breaches reported to Congress. The only incident of note involved the Seattle VA.
According to their monthly report, during the night of February 28, a briefcase containing two lists of patient names was stolen from a physician’s locked vehicle. The vehicle was parked in front of the employee’s home where the car windows were shattered and the contents of the vehicle were stolen.
The first list was generated for use at the VA Stand Down on February 27th. The list identified 141 Veterans by first initial, last name, and last four digits of their Social Security Number. The information on the list included the current status of Primary Care Service consults, and which Primary Care group the Veteran consults were assigned to. The list did not include medical information or dates of birth.
The second list was of patients in the provider’s panel that are on opioids. This list identified 70 Veterans’ full name, full Social Security Number, date of birth, opioid prescription nomenclature, and last time ordered.
The report notes that the incident was first reported to them on March 2nd and that the employee had previously completed training in the Talent Management System, Course #10176 (VA Privacy and Information Security Awareness and Rules of Behavior).
After review and analysis, the VA determined that 70 Veterans would be sent a letter offering credit protection services, while a HIPAA notification letter would be sent to 141 Veterans due to Protected Health Information (PHI) being disclosed.
So what happened to the physician who left the patient information in their car?
They don’t tell us, only that “This [incident] has been referred to Senior VAPD leadership for mitigation and corrective action.”