Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA Southeast Network (VISN 7)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on February 11, 2013. Also cited in 225 other reports.
Report ID: PSETS0000085653, U.S. Department of Veterans Affairs
Reported Entity: VISN 07 Columbia, SC
Issue:
Upon reporting for duty on Monday, 02/11/13, a VA Pulmonary Respiratory Therapist noticed a laptop was disconnected and removed from portable pulmonary testing unit. According to the employee, he locked his doors prior to leaving on Friday, 02/08/13 at approximately 4:30 PM. Update: 02/12/13: The facility is attempting to run reports out of VistA to identify the potentially affected individuals. The vendor does not recommend or validate the use of encryption on this type of device. The device cannot be wiped on a daily basis as the providers use historical study results in patient care. 02/19/13: The Information Security Officer (ISO) reports that 7,405 patients' information is on the device. The device is not password protected or encrypted. OIG is still investigating the case, but has given the OK to notify the patients if the Data Breach Core Team deems it necessary. 02/21/13: The laptop was not physically locked down to the medical device. The device was in a room that is kept locked. The office is joined to another office by a shared restroom. It has not been confirmed that the other office was locked when the laptop was stolen. Out of the 7,405 patients that would have had information on the device, 898 are deceased. OIG is anticipating interviewing one more person the week of 02/25/13. The facility states that there were some dates of birth (DoB) disclosed, though there is no way to tell how many or which individual patients would have had their DoBs on this device. 02/26/13: The DBCT discussed this during the meeting today. Since there could be dates of birth for the patients involved, 6,507 individuals will be offered credit protection services and 898 next-of-kin notification letters will be sent. This will be a HITECH Act reportable incident. 04/03/13: All letters have been mailed to the affected individuals. 04/05/13: The press release was sent out to all local media outlets.
Outcome:
To prevent any future occurrence, all laptops contained on medical devices have been physically protected and the Dorn Chief of Staff notified clinical staff to securely store and purge all personally identifiable information from medical devices.