VA Southwest Health Care Network (VISN 18)

Report ID: SPE000000059002, U.S. Department of Veterans Affairs

Reported Entity: VISN 18 El Paso, TX

Issue:

An employee reported that she believes her personal medical electronic records were accessed without permission or a need to know by several employees and she is requesting a full investigation of the access logs from 02/15/11until 03/02/11. Update: 03/07/11: The Information Security Officer (ISO) ran the report of access. All staff, except one, who accessed the employee's record for the time frame in question have responded to questions in a fact-finding meeting with the Privacy Officer. Once the final interview is completed, the results will be provided to the Executive Leadership. 03/11/11: According to the ISO, this is pending review of the Director and Privacy Officer to determine whether or not a breach occurred. The delay is due to personnel being out of office the last few days. 03/15/11: The PO is still waiting on management response. 03/28/11: The Employees record was accessed inappropriately, therefore Employee A will receive a letter offering credit protection services.

Outcome:

04/04/2011: Update to ticket - Per fact finding, determined that access was unauthorized and received notice per NSOC-SPE of need for letter of notification/credit monitoring. Letter drafted and then signed per facility Director with note that appropriate action taken to remediate this issue to include notice of unauthorized access to Chiefs of involved Services, clarification of policies and procedures, re-education and clarification of responsibilities as well as privacy issues surrounding employee occupational health records and appropriate access. Letter of notification/credit monitoring provided to employee per hand delivery and acknowledgment. Submitted: JWinstead, Privacy Officer EPVAHCS