Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA Mid South Healthcare Network (VISN 9)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on May 23, 2011. Also cited in 328 other reports.
Report ID: SPE000000062898, U.S. Department of Veterans Affairs
Reported Entity: VISN 09 Lexington, KY
Issue:
A VA physician employee stored patient information on his personal laptop. It may possibly have been stored for research purposes. At this time the Privacy Officer (PO) is unable to determine how many patients are involved. The PO secured the laptop to prevent it from leaving the facility. Update: 05/27/11: The data on the laptop gives the appearance to have been collected to conduct "case report" studies. The type and amount of data lead the research office to believe that he was conducting non-approved research under the guise of case reports. The Associate Chief of Staff (ACOS) for research has submitted a "cease and desist" letter to the physician for any research activities to include case reports. The Research Compliance Officer has notified the Midwest Regional Office, and the Office of Research Oversight (ORO). The VA Police are in process of contacting IG for guidance on the seizure of personal equipment. At this time, and until completion of the investigation, the physician has been placed on administrative leave. The facility Incident Response Team convened to discuss courses of action. The PO contacted VHACO Privacy Service and the Data Breach Core Team (DBCT) for guidance. There were 164 patients identified with combinations of name, full SSN or last 4 digits of the SSN, date of birth, age, and diagnoses on the personal laptop. Patient information also included X-rays, reports and notes. The 164 patients will receive a letter offering credit protection services. 06/16/11: The physician and his attorney met with facility staff to discuss return of the laptop. It was brought to the attention of the Privacy Officer that the physician was in possession of a significant amount of patient information which was located at his home. This material consists of four boxes of papers, 253 CDs, floppy disks, slides and patient images. The facity has devoted several staff to identify the individuals affected. An issue brief has been attached. 06/30/11: At this point 649 Veterans will be sent credit protection services letters. The facility is still counting the documents that included Veteran's dates of birth. 07/05/11: The facility has completed identifying all the Veterans. There will be 680 notification letters sent, 458 credit monitoring offers and 752 Next of Kin notifications.
Outcome:
We initially revoked access. A AIB was completed and we recovered all information. Employee gained access after completing Information Security and Privacy Training and passing a quiz given by ISO and PO.