VA Mid-Atlantic Health Care Network (VISN 6)

Report ID: PSETS0000083023, U.S. Department of Veterans Affairs

Reported Entity: VISN 06 Durham, NC

Issue:

Computer equipment is issued to blind Veterans who are followed by the Visual Impairment Services Team (VIST). The Durham VA Medical Center requested a VACO Office of Blind Rehabilitation site visit in June 2012 to review concerns with management of the computer access training program. The VACO review identified serious concerns with the actions of the vendor who provided computer access training and delivered and set up computers in patients\xe2\x80\x99 homes. During a home visit with Patient A in June 2012, the Blind Rehabilitation Outpatient Specialist observed Patient B\xe2\x80\x99s information on the computer issued to Patient A. In addition, a progress note on Patient C\xe2\x80\x99s chart states that the computer issued to patient C was being re-issued to another patient because Patient C could not participate in the program. Some patients who had received repeated training over a several year period received multiple computers and/or laptops, without clear documentation about why the equipment was being replaced. These findings raised concerns about whether the vendor was substituting used computers for brand new computers ordered for individual patients. The Office of the Inspector General (OIG) Criminal Investigation unit is further investigating the vendor for possible waste, fraud and abuse. He has requested that the VAMC not communicate with the vendor or the VIST Coordinator who oversaw the program. Patient A has moved to Virginia. Her telephone number is blocked so that she doesn\xe2\x80\x99t receive incoming calls. The Information Security Officer (ISO) has sent her a letter asking her to contact the ISO about the visit with the BROS Coordinator. The core group of patients who received regular computer access training in 2011-2012 will be called to ask whether the computers they received were brand new or not, and whether they ever found information belonging to another person on the equipment issued to them by VA. Results of this review will be used to determine whether there is a need to swap all current equipment for up to 119 patients who received training between 2003 and 2012. Depending on the findings, credit monitoring would be offered for all patients trained in the last 2 years and their current Windows XP equipment will be swapped for Windows 7 devices. The Durham Office of Information and Technology would then pull the hard drives of all the returned equipment and sanitize them before sending them to Intelligent Decisions. Once the OIG\xe2\x80\x99s investigation is complete, the VIST Coordinator and contract vendor can be contacted to see if the equipment re-issue began before 2011. Update: 12/04/12: The Privacy Officer (PO) interviewed 12 out of 15 patients in the first group and left messages for the rest. So far she has found one patient who has someone else's info on it. The patient died, so she is not sure how we can get the machine back. She has told the Associate Director and the Chief of Prosthetics who she hopes are working on the legalities. The PO also found 4 devices turned in that may or may not have been sanitized that will require investigation. She will next be interviewing an additional group of patients who received workstations or laptops in the last 2 years to see if any received recycled laptops. She is out of the office until Friday and will resume calling then. 12/10/12: Fourteen out of the 15 initial group of patients have been contacted. Patient A, who is deceased, did have someone else's information on his computer. The Acting Associate Director has been informed as have BROS, VIST and Prosthetics. Patients B and C are not sure if their workstations were new or not. These workstations will need to be checked out. The computers of six patients were replaced for one reason or another. Someone representing the VA took possession of the replaced computers. It is VIST policy not to retrieve computers from patients, so either the computer was re-issued to someone else or they were disposed of by the contractor or the VIST Coordinator. The local Office of Information and Technology did not receive the hard drives for sanitization. After verifying that the patients are alive, the ISO will contact approximately 51 patients to determine if they still have the computer that was issued to them and if not, how it was disposed of. There are another 6 patients who received a computer in the last 2 years who will be contacted to verify what they received and the current status of their computer. After analyzing that data, a decision will be made on whether or not to contact the remaining 43 patients. 12/30/12: The Information Security Officer (ISO) reviewed 119 Visual Impairment Services Team (VIST) patients who participated in the clinic titled Local Computer Training between 2006 and 2012. Of the 119 patients, 32 were deceased and therefore were not contacted, 22 could not be contacted, 68 were contacted. Of the 68 contacted, 13 patients had turned in a computer to the VIST program. There is no evidence that these devices were sanitized. Therefore, I recommend credit monitoring for this group of patients. Of the 68 patients contacted, 38 patients had no information security issue. This means that they received one or more computers, still owned the computer or had disposed of it themselves, were present when the computer was unpacked from the box and had seen no evidence that the computer was not new. One patient had a bad experience with the VIST program contractor and returned the new computer he was given and requested the return of his old computer which had been removed by the VIST contractor. The entire event took less than 4 days. I do not feel that credit monitoring is necessary for this patient. There are 5 patients whose existing computers showed evidence that made the patient owners believe that the computer was refurbished. Several patients were told by either the VIST Coordinator or the contractor that the contractor issued some refurbished computers. These computers should be replaced and subjected to a review to determine if the computer contains information from other individuals. Someone with computer forensics knowledge should look at these computers. The Durham VAMC does not have the expertise for this activity. There were 11 patients who never received the computers that they were promised. Most likely this is an administrative error, but records must be crosschecked by the VIST and prosthetics programs to be sure that this is indeed the case. 02/12/13: ISO knows of no further action to be taken. ISOs have no part in forensic testing. That will need to be done by another person. The Front office has opted not to contact the Veterans. 02/19/13: The ISO talked with the Director and she requested that he submit the recommendations as an official memo so she can delegate it out to the appropriate parties. This will include credit monitoring for the 13 Veterans as well as tasking VIST with retrieving the 5 workstations that may have been refurbished and may contain other patient information. The 13 Veterans will receive a letter offering credit protection services.

Outcome:

Processes are being changed to prevent this.'