VA report to Congress on data incidents in October
The Department of Veterans Affairs October report to Congress on data incidents is available online. Here are some breaches of note contained in the report:
A Regional Office (RO) guard at the Veterans Benefits Administration in Tennessee found an unencrypted thumb drive inside the facility doors on October 8. The guard took the drive home to investigate and showed it to the guard’s spouse who “maintains a high security clearance thru Department of Justice and DEA.” The guard’s spouse identified the information on the thumb drive as VA sensitive information and the thumb drive was turned in VA custody the next morning. The thumb drive belonged to a VA staff member and had fiduciary information for approximately 240 Veterans and/or beneficiaries. Their full names, SSNs, DOBs, mailing addresses, medical data (health information), and other financial information was included. The thumb drive was the personal property of the employee. The employee was not authorized to maintain VA sensitive information on a thumb drive and had failed to follow VA policies and procedures. The thumb drive was unattended/lost for approximately 16 plus hours and the contents were seen by unauthorized persons. The 240 Veterans were offered credit protection services.
On October 15, an employee reported that multiple pages from an Oklahoma VAMC pulmonary laboratory log book were missing. The log book pages contained patient names and partial Social Security number along with lab test abbreviations. The pages missing from the lab log book could contain up to 1,950 Veterans’ names, appointment times and dates, last 4 of the SSNs, mod/unit, requesting physicians, tests, and lab numbers from 01/01/10 until 10/08/10. Although the military believes that the pages were likely shredded, since there was no proof that the log book pages were shredded, 1,950 Veterans received a notification letter. The VA also noted that due to the number of Veterans affected, public notice and HITECH submission would be required.
On October 25, the Education Department was moving from one storage area to another in the Bronx and a box containing information pertaining to 146 employees who took the Cardiopulmonary Resuscitation (CPR) test was left in the open. The location was accessible by employees as well as volunteers. Privacy information included employee’s names and social security numbers. The employees were notified and offered credit protection.
On October 25, a VA employee in Honolulu took home a list with 180 Veterans’ information, including their full SSN, to have his spouse help him develop a Word document from the list. The employee tried to email the completed Word document to his VA email account but the VA server rejected it. All the documents are back in the hands of the HIMS Chief. She has consulted with HR on the matter and will counsel the employee. The Veterans received a letter offering credit protection services.
Also for the month of October:
Total number of lost Blackberry incidents = 22
Total number of internal un-encrypted e-mail incidents = 79
Total number of Mis-Handling Incidents = 79
Total number of Mis-Mailed Incidents = 115
Total number of Mis-Mailed CMOP Incidents = 10
Total number of IT Equipment Inventory Incidents =2
Total number of Missing/Stolen PC Incidents = 4
Total number of Missing/Stolen Laptop Incidents = 10 (all encrypted)