Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Veterans In Partnership (VISN 11)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on February 25, 2013. Also cited in 213 other reports.
Report ID: PSETS0000086091, U.S. Department of Veterans Affairs
Reported Entity: VISN 11 Detroit, MI
Issue:
An employee's car was stolen out of his driveway. The car contained 3 boxes and a rollaway bag. The rollaway bag is used by the employee to transport files back and forth between the VA and clients. The boxes contained mostly training materials, but could have had patient information sporadically inserted in the boxes. Update: 02/27/13: The Information Security Officer (ISO) is waiting on the Report of Contact (ROC) and patient list from the employee. The ISO has tried unsuccessfully to contact the employee. 02/28/13: The ISO is still waiting on more information from the employee and a copy of local Police Report filed. 03/01/13: The employee contacted the ISO and said he was at the Police Station and would be in to give us the report and the documentation requested. The employee did not show up. The employee put an envelope with a Report of Contact and 2 patient lists in the ISO's box. The Report of Contact had no information to help with the investigation (just says car was stolen) and it has not been determined if the patient list is the actual list or just a list of names. The ISO sent several questions to the employee but has not received a response. The supervisor has contacted the employee via e-mail several times no response. 03/04/13: The employee called ISO at 6:10 AM on Monday, 03/04/13, to let the ISO know that the employee will be in today to deliver the information that the ISO has been requesting. 03/05/13: The employee did not show up nor have we received the documentation. We also had a scheduled meeting and employee was a no show. The supervisor has sent the employee a message, a voicemail and even tried to track the employee down in the medical center. Per the supervisor, we have disabled the employee's network and VISTA accounts, VPN has already been automatically deleted, and BlackBerry service is being suspended. 03/07/13: The employee was told that when he signed the Rules of Behavior (ROB), and took the annual Information Security and Privacy trainings that the employee is responsible for all data that is under his responsibility and that claiming ignorance is not going to excuse the employee. 03/08/13: The employee dropped off an envelope in the ISO mailbox with the local Police Report and the requested report of contact. The report of contact contained information that was not disclosed before- (what was in the car, what kind of forms was in the boxes) however the ISO still does not have any definitive answer regarding which Veterans' information was compromised. The employee has no recollection of which patients information was left in the stolen vehicle. We have 2 different patient lists, one from the employee and one from the supervisor (employee's workload). The lists differ because there are 10 patients on the employee's list that are not on the report of contact listed patients that may have been compromised- there is a discrepancy between the list from the supervisor and the employee. According to the supervisor up to 44 Veterans could have had their information compromised therefore. 44 Veterans will receive a letter offering credit protection services. 3/26/13: update.. was a total of 66 individuals affected, therefore 22 more will receive CPS. supervisor's list. There are 34 patient's on the supervisor's list that are not on the employee's. The employee has been counseled by the supervisor. Steps are being taken to terminate the employee. The ISO and PO are trying to determine which Veterans' information was compromised. 3/14/13: The employee has resigned- with no further information. The ISO and supervisor have not determined which patients were compromised. During the investigation, it was also noted that the employee may be lying about any information that was compromised. At first the employee claimed no PHI/PII was compromised, then the
Outcome:
Employee has been counseled by the supervisor. Steps are being taken to terminate the employee. ISO/PO are trying to determine which Veteran's were compromised.