Governance & Risk Management , Privacy
Personal Info Exposed on Web Calendar
VA Residents Hadn't Changed Password in Three YearsAccording to the VA's Monthly Report to Congress on Data Incidents for November, four orthopedics residents at the Chicago healthcare system maintained a calendar of patients' data on Yahoo.com that included full names, dates and types of surgery and the last four digits of patients' Social Security numbers.
On Nov. 23, the healthcare system's information security officer, chief of surgery and chief orthopedics resident met, where the chief resident logged onto the calendar to show it to the ISO. The next day, the VA blocked access to the site. On Nov. 29, the VA deleted the calendar after each entry was printed to be used in the investigation.
The residents never changed the password during the three years the calendar was in use.
The VA said the 878 patients were being notified.