Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA Healthcare - VISN 4 (VISN 4)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on March 1, 2012. Also cited in 239 other reports.
Report ID: SPE000000072371, U.S. Department of Veterans Affairs
Reported Entity: VISN 04 Pittsburgh, PA
Issue:
The Privacy Officer (PO) was notified that VA residents have been requesting Veteran imaging CDs for presentation purposes. The Imaging Supervisor indicated this activity has been occurring for the last few years. The imaging clerks have been providing the VA residents with VA Form 0897 (Presenter Certification Form), VHA Privacy Office Privacy Fact sheet volume 08, No.2 (Displaying Sensitive Information in Presentations) and an unencrypted CD of the requested images. The residents signed VA Form 10-5345 (Request For and Authorization to Release Medical Records) however this is not the appropriate signature authority for presentation purposes. The signed VA Form 0897 and presentations have not been submitted to the Privacy Office for review. Update: 03/01/12: This process was stopped immediately. The PO requested to see documentation of all images released under these circumstances in the past year as an auditing measure. The PO received approximately 40 for fiscal year 2011; in which none had been submitted to the Privacy Office for review. The Imaging Supervisor has been asked to provide copies of all VA Form 10-5345 that have been signed by the resident/physicians for these purposes. The images contained full name, SSN, age, sex, date of birth, referring physician, type of exam and date of exam. 03/06/12: These requests should not have been a FOIA request as all the Veterans are still living. The presentations were all for educational purposes, presented at educational conferences, review cases, case conferences, surgery and peri-operative care, etc.. With the Veterans still living, the approving authority would have been the Veteran him/herself. The PO identified a total of 60 Veterans. 03/13/12: Although no malicious intent was involved, the personally identifiable information (PII) for 60 Veterans was inappropriately disclosed. Letters offering credit protection services will be sent to all 60 Veterans.
Outcome:
OI&T staff assisted the Imaging Department with implementing the redaction capability on the imaging software. The Imaging Department will only provide a de-identified encrypted CD for presentation purposes after a request has been received in writing. In addition, the Imaging Department will track these disclosures and notify the Privacy Office.