Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
South Central VA Health Care Network (VISN 16)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on July 21, 2011. Also cited in 317 other reports.
Report ID: SPE000000064938, U.S. Department of Veterans Affairs
Reported Entity: VISN 16 Biloxi, MS
Issue:
On the morning of 07/21/11 an employee discovered her office door was unlocked, opened, and office files were accessed and thrown on the floor. This area is not access controlled but open to employees, visitors and patients. Biloxi VAMC Police were notified and initiated an investigation. The Privacy Officer (PO) was notified. The unsecured files contain both patient and employee Personally Identifiable Information (PII) and Protected Health Information (PHI). There is confirmation that 65 employees' information was accessible. A list of patient names is being compiled and expected to exceed 1,000. Update: 07/22/11: The office belonged to the Secretary for the Chief of Surgical Service. The types of records in this office that were exposed include Congressional Inquiries, Reports of Contact, a list of patients with pacemakers and binders containing information on patients who were treated by fee basis providers. The door to the office automatically locks when closed, however, an employee went in the office later in the day in the course of her duties and believes she unlocked the door and forgot to lock it when she left. The building does require a Personal Identity Verification (PIV) card to be scanned for entrance and there are cameras covering each entrance. The VA Police are investigating and have reviewed the video which did not reveal anything. The police are currently reviewing the physical access logs. The third floor of the building is for inpatient mental health patients who are given the liberty to leave. The patients are being interviewed. The Privacy Officer is currently compiling a list of names exposed. It is currently estimated to be around 1500. 07/25/11: After a review of the documents, 1887 individuals' information could have been accessed. The Biloxi VAMC is currently deleting duplicate names and expects only a minimal decrease in the 1887 number. Two lists are currently being compiled for notification and credit protection. Notification letters will be sent to approximately 20 employees whose competency folders with full name and last four numbers of their SSN could have been accessed. The remaining individuals, both patients and employees, will be offered credit protection due to PII and PHI being contained in the accessible files. 08/03/1: The Biloxi VAMC Police notified the Mississippi and Florida Office of Inspector General to assist in locating and questioning the suspect. The suspect has not been located. After review of all documents, 1,829 individuals were identified whose protected health information and/or protected individually identifiable information could have been accessed. Three lists were compiled for credit monitoring, notification, and next-of-kin notification letters. Credit monitoring letters will be sent to approximately 1,798 individuals whose protected health information could have been accessed. This list includes patients and employees. Notification letters will be sent to 25 employees whose protected individually identifiable information could have been accessed. Six Veterans were identified as deceased. Next-of-kin notification letters will be sent to the family of these 6 Veterans. 08/15/11: There have been 1798 Veterans who have been identified to receive letters offering credit protection services due to full name and SSN being disclosed. Full name and partial SSN have been disclosed for 25 employees and 6 Next of Kin letters will be sent.
Outcome:
We have conducted a full investigation. The Privacy Officer and Information Security Officer will be providing additional guidance to staff within the affected area to ensure compliance with our faculty privacy and information security policies. The VA Police continue foot patrols in the hospital to ensure office doors are locked during non-business hours. The Privacy Officer will conduct additional rounds to ensure that documents containing sensitive personal information are secured during business and non-business hours from unauthorized access.