Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA Southwest Health Care Network (VISN 18)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on September 18, 2012. Also cited in 228 other reports.
Report ID: SPE000000080270, U.S. Department of Veterans Affairs
Reported Entity: VISN 18 Phoenix, AZ
Issue:
Research coordinator reported that on 9/6, a veteran research subject (Veteran A) was accidentally given a CPRS patient inquiry printout for another veteran (Veteran B) with the same last name, which had apparently stuck to Veteran A's paperwork. Veteran B was not a research subject. Veteran A returned the printout to the research coordinator on 9/10. Research coordinator states Veteran A was upset that he had been given the information, had kept it in his possession the entire time and did not show it to anyone else prior to returning it. Further details of the security of the data during this time are not available. Data out of VA control consisted of 2 pg. printout of a CPRS patient inquiry for Veteran B, containing full name, full SSN, DOB, address, home and cel phone numbers, combat vet status (not eligible), service connected %, medical information including diagnoses, inpatient admit/discharge dates, clinic enrollments and upcoming appointments, identification of next of kin / emergency contact (both are Veteran B's spouse; address same as Veteran B but a third phone number), and insurance information, including the insurance policy and group numbers of the spouse. Update: 09/19/12:Veteran B will be sent a letter offering credit protection services.
Outcome:
Paperwork of Veteran B was recovered on 9/18/12. Staff were counseled by supervisor and Research PO on 9/18/12 not to print entire patient inquiry sheets to facilitate maintaining an Accounting of Disclosures, but to copy only the relevant information electronically (cut-and-paste) to the Accounting of Disclosures spreadsheets, with no paper copies. Credit monitoring letter to Veteran B and HIPAA notification letter to spouse of Veteran B were mailed 9/27/12 and have not been returned to the Research PO as of 10/11/12. Institutional Review Board voted on 10/10/12 to find serious noncompliance, and to accept the existing remediation as satisfactory. Ticket had been kept open to allow recording of the IRB's decision, and with their decision not to require any further remediation