Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Sierra Pacific Network (VISN 21)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on July 16, 2012. Also cited in 141 other reports.
Report ID: SPE000000077930, U.S. Department of Veterans Affairs
Reported Entity: VISN 21 San Francisco, CA
Issue:
3/26/12@0814: Via email, the complainant contacted Occupational Health (OH) and asked if her lab results were in. 3/26/12@0843: Via a response to the complainant's email, an OH nurse replied with the titer results3/26/12@0859: The complainant asked for the specific titer, and a printout3/26/12@0909: The OH Nurse replied a copy would be available for pick up3/26/12@0918: The complainant responded to the email and asked for a quantifying level3/26/12@0928: The OH Nurse responded the lab does not provide the number and gives qualitative results3/26/12@0953: The complainant emailed again and in summary asked for the results or level3/26/12@1010: The OH Nurse responded and copied the complainants supervisor as well as the Chief of Personnel Health to the emailIn summary: (1) the complainant alleges her privacy was breached when her supervisor and the Chief of Personel Health was copied on the email; and (2) questioned who in Wahshingon determines what information is considered highly sensitive. Update: 10/23/12:The employee will be sent a HIPAA notification letter.11/01/12:On 8/13/12, the Privacy Officeer (PO) met with the subject of the complaint's supervisor who explained the following: (1) The email did not contain specifics about the complainant's titer status; (2) supervisors are provided information necessary to determine suitability for employment; (3) Personnel Health employees routinely bring managers/supervisors into conversations when their employees fail to comply with requirements (i.e., mandatory testing), or when employees are dissatisfied with services provided; and, (4) the Medical Director of Personnel Health Counseled the subject of the complaint regarding how to handle this type of situation in the future. Notification is not required.12/18/12:After review of the actual e-mail by the national Data Breach Core Team on 12/18/12, it was decided that the employee should be sent a HIPAA letter of notification.
Outcome:
Occupational Health have reviewed their practice and in the future will not include supervisory personnel on emails. Corrective actions include: 1. Privacy Office met with the Chief of OH and provided education on when information may be released from a Privacy Act system of record 2. All OH employees instructed to complete Privacy and HIPAA training (TMS course VA 10203) 3. All clinicians assigned to OH instructed to read VA Handbook 5019 as well as Employee Medical Record File system of record notices 4. OH will develop internal procedures on the topic of records collection, maintenance and release 5. Disciplinary action taken. 6. HIPAA notification letter sent to the complainant