Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA Mid South Healthcare Network (VISN 9)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on January 9, 2013. Also cited in 328 other reports.
Report ID: PSETS0000084431, U.S. Department of Veterans Affairs
Reported Entity: VISN 09 Nashville, TN
Issue:
A VA TVHS employee who works at the VA Chattanooga Outpatient Clinic reported to her Service Chief that she suspects another VA employee may have accessed her personal information from the VA computer system. The Service Chief contacted the Privacy Officer (PO) of this complaint and a Sensitive Patient Access Report (SPAR) was generated to cover the time period 01/01/11 to present. Upon obtaining this report, the PO contacted the Service Chief, as the report identified a VA employee who also works at the VA Chattanooga Outpatient Clinic did access the CPRS chart of the complainant back in February 2011. The employee's record who was accessed, is not a Veteran, so there should not have been a need for the other employee to have specifically accessed the CPRS Record. Update: 01/09/13: The PO spoke with the Service Chief. The employee whose record was accessed alleges that the other employee used her personal information to have a tire fixed. The shop contacted the employee which prompted her to request the SPAR. 01/14/13: On Friday, 01/11/13, the Service Chief interviewed the employee who accessed this CPRS Record. The employee was informed of the fact that her name appeared on a Sensitive Patient Access Report showing she accessed another VA employee's CPRS Record and that she needed to provide documentation as to why the record was accessed and for what purpose. The employee was provided time to arrange Union Representation and to turn in her statement. 01/17/13: The Privacy Officer received a statement from the employee who accessed the CPRS record. In her statement, she could not recall accessing and stated it must have been inadvertent. The PO determined this was an unauthorized access and referred to the Service Chief for appropriate action. 01/28/13: The employee will receive a letter offering credit protection services.
Outcome:
Corrective Actions still pending at Privacy Office and Executive management. 1/23/13 - With this access being determined as inappropriate access, this access issue was referred to the Business Office for appropriate action. Business Office is currently working with HR to determine type of sanctions. 1/30/13 - CM letter prepared, signed and mailed this date. The inappropriate access has already been referred to the Service, who is working with HR for action to be taken. Request this ticket now be closed.