VA Security Incidents for May Revealed

Even the Smallest Cases Listed
VA Security Incidents for May Revealed
The U.S. Department of Veterans Affairs says six laptops were stolen from its facilities in May, but none of the thefts resulted in a breach.

Roger Baker, assistant secretary for information and technology, offered a litany of security incidents that occurred last month in all VA units, including healthcare, at a June 16 news media teleconference. The VA, which provides healthcare to about 6 million veterans a year, tracks dozens of incidents every month, he acknowledged.

Baker, who plans to offer monthly security updates, held his first briefing with the media May 27 in the wake of a Congressional hearing that called the VA to task for security lapses.

Role of Encryption

Five of the laptops stolen in May were encrypted, so the VA is not revealing the information they contained, Baker said. The other laptop, which was not encrypted, did not contain any patient information.

Under the HITECH Act's Breach Notification Rule, incidents involving information encrypted in a specific way do not need to be reported to federal regulators because the information is presumed to be secure.

Otherwise, the rule requires that breaches affecting more than 500 individuals must be reported within 60 days to the media and the HHS Office for Civil Rights. Earlier, the VA reported a May 4 incident involving the loss or theft of a binder with information on 4,083 patients.

The incident occurred at an outpatient laboratory at VA North Texas Health Care System. Because the binder included personal information, including Social Security numbers, the VA offered the vets free ID theft protection for a year.

The incident was the fifth major breach the VA reported to OCR since last September, when the rule became effective.

List of Incidents

Also in May, Baker says the VA had the following security-related incidents at its various healthcare and other facilities, none of which affected more than 500 veterans:

  • 13 lost encrypted Blackberries;
  • 80 incidents of internal e-mails, containing information on veterans, which were not encrypted as required under VA policy;
  • 74 "information mishandling" incidents. For example, a list of 101 emergency department patients was removed from an office by an unauthorized individual, but the list did not include identifiers;
  • 123 incidents of mismailings, such as two letters sent in one envelope by mistake;
  • Four incidents involving IT inventory issues, such as the lack of a record of whether an item was in the location where it should be or was appropriated disposed of.

Two Investigations

Baker also revealed some details on two incidents. In one, police are investigating a break-in at a North Chicago facility where records on 10 employees were taken. The staff members were offered free credit monitoring.

And United Parcel Service notified the VA that one of its employees was found to have prescriptions from six VA patients in Tennessee.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.