VA Mid-Atlantic Health Care Network (VISN 6)

Report ID: SPE000000078232, U.S. Department of Veterans Affairs

Reported Entity: VISN 06 Beckley, WV

Issue:

An SF-50 form, Notification of Personnel Action, was posted on the public drive in a file that had employee's last name in it. This file could be opened by any VA employee. This SF-50 contained the Beckley VAMC Director's full name, full SSN, DOB, and other HR-employee data. Update: 07/30/12:The file was placed in the folder by HR. The file has been removed. Review of the file and folder indicate no one unauthorized viewed the file. This was a policy violation. No data breach occurred.07/30/12:Per request from the PO, the employee will be offered a letter offering Credit Protection Services, due to the potential that someone may have been able to view the file while it was on the public drive, and the file contained the full name and SSN of the employee.

Outcome:

I have talked with our CIO and asked her if something can be done to prevent single documents from being saved directly to the Public Drive without being deposited into a specific folder (that's what happened in this case). I have also asked our CIO if it is possible to have some sort of pop-up on the Public Drive so that when an employee clicks into it, a message pops up stating something like "Welcome to the Beckley VAMC Public Drive." The intent of these suggestions is to #1., alert an employee that he/she is on the Public Drive and not on their personal Z drive; and #2. Prevent an employee from saving a document directly to the Public Drive without being in a folder. The hope is that they will realize they are on the Public Drive when they see folder names that are unfamiliar to them. Our CIO is looking into these suggestions.

Related Reports:

2 other violations reported on the same date. Note that other citations may be about the same event: SPE000000078198, SPE000000078213