Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Phoenix VA Health Care System
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on February 4, 2014. Also cited in 102 other reports.
Report ID: PSETS0000100121, U.S. Department of Veterans Affairs
Reported Entity: PHOENIX AZ - 644
Issue:
Today, 02/04/14, the Associate Director reported to the Privacy Officer (PO) that a Sensitive Patient Access Report (SPAR) shows questionable chart access of an ex-VA-employee's record. There are three (3) staff members whose access does not correlate with treatment or administrative functions for the ex-employee. The ex-employee has been charged with criminal charges of a domestic nature. Television news stories have aired regarding her locally, starting yesterday evening and again today. The ex-employee has not been identified as a VA employee yet. Her chart and collateral chart had been reviewed and secured with a sensitive flag. An Incident Response Team has been scheduled. Additional notification and investigation, pending.
Outcome:
02/04/14: News stories on internet reported the ex-employee's husband's name. His chart was checked and a sensitive chart flag is in place. The PO will recommend another SPAR be run for him also. 02/07/14: A SPAR was provided by the Information Security Officer (ISO) and then a copy was made for Human Resources (HR) to initiate fact finding. Any reports of unauthorized access will be reported to the PO. 03/04/14: HR confirms that their fact finding shows evidence of inappropriate access. Their fact finding concluded today which will be forwarded to PO. They found Employee A admitted to the incident. Employee B is unsure, but did not deny the access. Employee C denies any involvement and we have a follow-up fact-finding this week. Reprimands are recommended for Employee A and B. The appropriate disciplinary action will be recommended for Employee C after the second fact-finding into the matter. HR will have summary reports with additional information ready for PO by the end of the week. In all cases, the former employees name, address and social security number was available on the screens when accessed in what appears to be employee curiosity related to the news event. 03/14/14: Fact finding from HR investigation was provided to PO. It is verified that all 3 individuals in the ex-employee/Veteran's chart subsequent to a news media incident, did not have authorized access to VISTA nor CPRS. We will advise that all three (3) individuals who accessed this chart have appropriate corrective actions taken by HR and their manager due to a Privacy violation. One of the individuals is not current with TMS 10176. The Incident Resolution Team (IRT) determined that the ex-employee will receive a HIPAA letter of notification.