Veterans In Partnership (VISN 11)

Report ID: SPE000000060203, U.S. Department of Veterans Affairs

Reported Entity: VISN 11 Indianapolis, IN

Issue:

VA Neurosurgery Contract staff transmitted/stored VA patient personally identifiable information (PII) and protected health information (PHI) including name, last four digits of the SSN and diagnosis, to a non-VA website found at http://www.editgrid.com. The site is an on-line spreadsheet where users can save data and access it from any internet browser. The contract staff save VA PII/PHI in a spreadsheet, as a way to track their VA procedure schedule. A shared username/password is used by all contract staff to access the VA section of the website. The website provides no encryption (no https://). The Information Security Officer (ISO) contacted the VA contract staff and instructed them to remove the VA PII/PHI from the site. They responded that they will do this immediately. The ISO also instructed the contract staff that transmitting/storing VA PII/PHI outside of VA was a violation of VA Policy and should never be done. This issue is similar to the Google.docs that surfaced last year. Consideration should be given to block this URL at the VA gateway. Update: 03/30/11: VA NSOC blocked the gateway. One hundred eighty-four (184) patients will be sent a notification letter. 04/06/11: The spreadsheet was on the web page since 2010. Ten (10) contract staff members and two (2) physicians that were not on the contract and were not authorized to see the data had access to the spreadsheet.

Outcome:

The Contractor has submitted an Action Plan and they are working with OI&T to find a solution that complies VA security policies, while at the same time, accomplishing the necessary goal of providing continuity of care for VA patients.