Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA Southeast Network (VISN 7)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on March 21, 2013. Also cited in 225 other reports.
Report ID: PSETS0000087033, U.S. Department of Veterans Affairs
Reported Entity: VISN 07 Birmingham, AL
Issue:
A Birmingham VA Medical Center (BVAMC) Mental Health physician reported to the BVAMC Chief, Mental Health, that a black folder containing last names of some patients, last four digits of their social security number, and some scribbled notes had been left on top of the physician's car and he is now unable to locate it. The physician called the BVAMC Emergency Department (ED) as well as the VA security office and was unable to locate the folder. The physician drove the exact route taken the previous night twice looking for the folder, but was unsuccessful. The physician went to BVAMC "lost and found", the University of Alabama, Birmingham Police Department (UAB PD), and the Birmingham City Police Department looking for the folder, but was unable to locate it. The physician left contact information at all these locations. The BVAMC Privacy Officer (PO) instructed the physician that a list of the contents of the folder (list of names, last four, notes, etc.) would need to be recreated and forwarded to the BVAMC PO immediately. Update: 04/01/13:The Privacy Officer has requested that the physician provide a list of the Veterans who are affected. Still waiting on a response from the physician.04/09/13:The Privacy Officer was provided a list 21 names believed to be the names contained in the lost black folder. The list contains full name and last four of the SSN of the patients. HIPAA notification letters will be sent to 21 patients.05/22/13:This was determined to be HITECH reportable by VHA Privacy Office.
Outcome:
BVAMC PO met with the physician who misplaced the folder to discuss the list of patients whose information was at risk. Physician stated she mistakenly stated the date of the incident was 2/15/2013, which in fact it was 3/15/2013. The physician advised the BVAMC PO that the list previously provided was incorrect, and the correct list was provided later the same day. BVAMC PO advised the physician that it would be necessary to re-take the HIPAA/Privacy training and provide certification of completion. The physician provided certification of completion on the HIPAA/Privacy training on 4/12/ 2013. The BVAMC PO met with the Chief, Mental Health and Assistant Chief, Mental Health to discuss the incident. They requested a copy of the notification letter sent to all patients in order that they notify the provider and the provider could inform the patient, if provider deemed necessary, that he/she would be receiving the letter and help with questions/concerns that might arise. Mental Health Service provided documentation that providers had been notified of the letters. (copy of notification letter attached)