Veterans Administration responds to Freedom of Information request; releases breach reports
So what did we miss because the Veterans Administration stopped posting their monthly breach reports to Congress on their web site? DataBreaches.net filed a Freedom of Information request on June 7, and the VA has responded by providing all of the requested monthly reports for the period May, 2016 – June 7, 2017. As an overview: there appears to be no major shift in the number of breaches reported each month by the VA.
The monthly reports generally contain descriptions of incidents in which numbers of veterans were either sent HIPAA notifications or offers of credit protection services. In addition, the VA provides a summary of how many mishandling incidents, mismailing incidents, and mismailed Consolidated Mail Outpatient Pharmacy (CMOP) incidents there were. For comparison purposes, in June 2016, there were 186 mismailing incidents, 6 mismailed CMOP incidents, and 117 mishandling incidents. In May, 2017, there were 199 mismailing incidents, 7 mismailed CMOP incidents, and 111 mishandling incidents. To keep these in perspective, however, it is important to note that these are a tiny percentage of all of the incidents VA facilities handle on a monthly basis.
But here are 22 breach incidents I found in the reports, below. Only one resulted in any press release or media coverage at the time – at least as far as DataBreaches.net can determine – which is why we need the VA to be transparent and make these reports publicly available.
In chronological order, beginning with May, 2016:
A contractor for the Ralph H. Johnson VAMC lost a USB drive used in the process of fit-testing respirators for employees. Neither the outpatient clinic where it was last used nor the rental car company the contractor used could locate it. On June 23, the IT technician for the contractor confirmed that the USB drive was not encrypted because an encrypted drive could not be used in the PortaCount device. A total of 992 employee were sent notification letters because their names and partial SSNs were on the drive.
The VA Sunshine Healthcare Network in Bay Pines, FL reported on June 21 that 386 requests for medical records could not be found. By the time they concluded their search, they determined that 235 living veterans needed to be sent letters offering credit protection, while next-of-kin notification letters were also sent to others.
On June 24, another case was opened in Bay Pines after they were notified by an anesthesiologist that a logbook containing approximately 50 patients’ names, full SSNs, and dates of birth had been missing for approximately two weeks. Investigation determined that the logbook contained information on 294 veterans, but they were unable to determine exactly what information had been included for each veteran as this was not an approved logbook. All 294 veterans were subsequently offered credit protection services.
In another incident involving a a potential breach in Fargo, North Dakota, the ex-wife of a former telework employee discovered 62 pieces of returned mail while cleaning out a file cabinet. She returned the documents to the local VAMC, but the facility that was supposed to investigate reportedly did not contact her and there was no further contact with the employee in question, who had transferred to a different office. Sixty-two veterans were sent letters offering credit protection services .
102 veterans participating in a research study in San Francisco received letters notifying them of a breach under HIPAA after a researcher’s car was broken into on July 16, 2016 and a research participants’ log was among the stolen items. The log contained a recruitment flyer and the participants’ first and last names, appointment date and time, phone number, and last four digits of SSN.
On Sept 8, the Mid-Atlantic Healthcare Network in Beckley, WV learned that a binder with patient satisfaction discharge call back forms for the months of July and August was missing. The binder was an unapproved logbook that contained an estimated 70-80 patients’ information, including full name, full SSN, and date of birth. After further review and analysis, the VA determined that 150 veterans would be sent letters offering credit protection services.
The Midwest Health Care Network in Minneapolis reported an incident on September 8, 2016 after copies of prosthetic device information from various vendors went missing during office relocation. After investigation, the VA determined that 351 veterans would be sent letters offering credit protection services.
88 veterans in St. Louis, Missouri (the Heartland Network) were sent letters offering credit protection services after a medical student left patient lists in her lab coat, and left her coat in her car, which was then broken into.
Portland, Oregon (Northwest Network) opened an investigation on December 1, 2016 after a veteran received an appointment letter that included a four-page list with information on 162 veterans – last name, first initial, last four digits of SSN, clinic appointment title and date of appointment. The 161 living veterans were sent HIPAA notification letters; one next-of-kin notification letter was sent.
Columbus, Ohio (VISN 10) opened an incident on December 12, 2016 after an employee emailed PII externally that contained protected health information on 179 patients to three different applicants in error. There were 178 HIPAA notification letters sent and one next-of-kin notification.
A mishandling incident of note occurred in Muskogee, Oklahoma (the South Central Health Care Network). A veteran notified VA staff after spotting blood vials lying on the ground in front of a dumpster filled with blood and information for each patient (name and full SSN). The recovered vial rack contained 93 veteran specimens, 30 of which were recovered and 63 of which were unaccounted for. 93 veterans were sent letters offering credit protection services.
Memphis, TN (the MidSouth Healthcare Network) opened an investigation on January 8 after a principal investigator reported the mailing of 961 research study survey letters sent out with the wrong names. The mailing addresses were correct, but the wrong study subject’s name from another group in the same research study had been included. 961 veterans were sent HIPAA notification letters, but 240 were returned as undeliverable. After deleting duplicates, there were 687. But why did the VA conclude that credit monitoring would be required? The survey letter did NOT contain any SSNs, “only the survey questions about pain medication taken by the research subject.”
A mishandling incident involving the Seattle, Washington VA (the Northwest Network) illustrates how labor-intensive a breach response can be. In this case, the VA was first notified by Everett Transit Authority that they needed to speak to someone in Research about an item they had found. It took days before anyone called them back to determine that it was a flash drive that appeared to be associated with a principal research investigator at Puget Sound. But when the VA actually looked at the contents of the drive yet even more days later, they discovered that it contained copied data from older studies and at least one or two folders with research subjects’ protected health information. Most of the data files were from 2004 – 2009, before the VA started giving out encrypted drives. The VA was able to identify the owner of the drive, who no longer worked for the VA and may have lost the drive while packing up to move to her new location. More than 500 files had to be reviewed to determine who might need to be sent letters. All told, 36 were sent credit protection service offers and an additional 373 individuals were sent HIPAA notification letters.
An incident reported by the St. Louis, Missouri VA (Heartland Network) is yet another reminder about disgruntled or terminated employees being able to walk out with PHI. The Privacy Officer received an email from a VA attorney alerting them that in response to a discovery request the VA attorney had made in an employment case, the VA had received VistA print outs of scheduled consults that had veterans’ last name, first initial, and last 4 digits of SSN of “many Veterans” some including those that received HIV counseling. The VA’s investigation revealed that the former employee had the records in his posession and had not been employed by the VA since January 2016 (one year previously). By the time they concluded the investigation, they had identified 724 individuals requiring 615 HIPAA notification letters, 48 credit protection service offers,, and 61 next-of-kin notifications. Because there were more than 500 affected, a press release was also required. The media did pick up the report at the time and I had noted it on DataBreaches.net at the time, but where is the more detailed explanation of how the employee was able to exfiltrate or obtain so much data and it was never detected through internal controls?
A mishandling incident in February resulted in 61 veterans at the Fayetteville, Arkansas (South Central Health Care Network), getting credit protection officers. The incident occurred because after an employee contacted environmental services to pick up sensitive confidential shred, they didn’t, and staff left for the day, leaving the bag in the copy room. The next day it was gone – presumably taken by the cleaning crew who would have disposed it with the regular trash.
In February, the West Palm Beach VA (the Sunshine Network) opened an investigation after an employee found a folder in a women’s bathroom. The folder contained many handwritten documents from veterans, including at least 6 full SSNs, with names, dates of birth, and 282 partial SSNs. There were also full names, admission dates, and diagnoses. At least 6 veterans had documents covered by 38 U.S. Code § 7332 (confidentiality of medical records). Further investigation revealed there were 17 diagnoses covered by 7332. The majority of documents were signed by a mental health provider. The bathroom was located in an inpatient mental health ward, but was accessible to patients and their visitors. After removing duplicates, there were 69 unique veterans affected; 62 were sent HIPAA notification letters, while 7 were sent credit protection service offers.
Denver (Rocky Mountain Network) investigated in March after an employee left lab tissue on a cart outside freight elevators for 24 hours because the employee could not get into the morgue. The elevators and the area around them are accessible by everyone (not just employees) and the lab specimens were anatomic pathology specimens labeled with veterans’ full name, full SSN, and date of birth. As a result, 68 veterans were sent credit protection service offers; one next-of-kin notification was sent, and and administrative action was recommended with respect to the employee.
The VA is clearly not immune to insider snooping or employee wrongdoing problems, as some of the following incidents indicate:
Dayton, Ohio (VISN 10) opened an investigation in March after an employee’s name was found on three colleagues’ Sensitive Patient Access Report (SPAR) reports. The employee had no reason to access those medical records. When contacted about the access, the employee resigned, but the investigation continued, and by early April, they had determined that the employee had accessed 223 veteran and employee EMRs without cause, and had shared information on three (2 employees and 1 patient) with other VA employees. The difficulty in determining what accesses were legitimate is reflected in their report:
The VA calls this next one a “Mishandling” incident. I’d call it an insider-wrongdoing breach. The Murfreesboro, TN VACO Field Program Office opened an investigation in March because an employee teleworking due to RA had allegedly trained and gave access to her boyfriend, who was accessing veterans’ accounts daily to complete her workload for her. The VA incident summary does not indicate how the VA first became aware of what was going on, but as a result, 113 veterans were sent letters offering credit protection services. The employee turned in her government-owned laptop, the VPN account was disabled, and all account accesses were terminated. Additional disciplinary action was alluded to but not detailed.
Another case of employee wrongdoing was reported by Philadelphia (VISN 04) in April, 2017. The spouse of an employee printed a copy of a veteran’s information and provided it to family court for her child support hearing. The veteran was sent a HIPAA notice due to PHI being disclosed, and disciplinary action was taken towards the staff member. It is not clear from the summary whether the employee actively assisted his spouse in acquiring the veteran’s information or was just negligent in protecting it.
In April, Palo Alto VA (the Sierra Pacific Network) reported that a binder with “return clinic appointments orders) containing information on approximately 50 veterans had been been removed from a locked cabinet between April 7 and April 10. The list was recreated and was determined to include full names, full SSN, and personal phone numbers and clinic names for 77 veterans, who were sent credit protection service offers; one notification letter was sent to next-of-kin.
Portland, Oregon (Northwest Network) investigated after an estate attorney called to report a deceased employee’s house was being cleaned and boxes of VA medical records had been found in her garage. After review and analysis, 42 veterans were sent letters offering credit protection services, and 23 were sent HIPAA notification letters. The summary does not explain why the now-deceased employee would have VA medical records in her home, when her employment with the VA had terminated (if it had terminated prior to her death), and why the removal of the records had never been detected, if they had not been.
As noted earlier, DataBreaches.net only obtained these reports because the site filed a Freedom of Information request. The VA did not produce any documents in response to my request for documentation as to why they suddenly stopped making these reports publicly available. And they produced no documentation in response to my request as to how they complied with federal law about providing notice for a change in procedure. Their only response was to assert – without citing any statute – that these reports are not mandated to be provided monthly. DataBreaches.net respectfully disagrees with the VA’s claim and interpretation, and is considering appealing that portion of the response.
Note that ProPublica also requested the monthly reports from the VA, but in a different format, and they may post them in a more easily analyzable format in the future if and when they receive them. For now I am uploading the pdf files of the reports as I received them from the VA so that they are publicly available: the May – Dec, 2016 reports and the Jan – May 2017 reports.