Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA Mid-Atlantic Health Care Network (VISN 6)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on November 9, 2011. Also cited in 187 other reports.
Report ID: SPE000000068469, U.S. Department of Veterans Affairs
Reported Entity: VISN 06 Salisbury, NC
Issue:
A Nurse Manager discovered that a VA employee was keeping files on numerous employees. The information included performance appraisals, background investigations, medical records, education records, etc, that went back to 1985. Update: 11/10/11: The Privacy Officer (PO) reported that it is a very large volume going back to 1985, and will try to have a count by close of business Monday 11/14/11. At this time there appears to be no malicious intent. 11/14/11: The PO advised that a facility Incident Response Team (IRT) has been formed and will be meeting today at 2:00 PM to go through the items that the employee had. All the information is now in a different secured location. The employee is out on leave due to a motor vehicle accident. There is no date as to when she will be returning. At this time it is unknown if any information has been taken off station. The incident is still under investigation. 11/18/11: The facility is in the process of requesting consent of the employee to do an interview to determine if she has removed records from the VAMC. Human Resources (HR) is assisting with this process. It is still unknown at this time on the exact number of employees as the local IRT is still inventorying the information. On one of the tapes that have been listened to thus far is a conversation between the employee and her supervisor. The information on the CD ROMs contains information on VA employees and Research subjects. There still does not appear to be any malicious intent at this time. The employee is on Family and Medical Leave Act (FMLA) and it is anticipated that she will return in February. There is a vast amount of hardcopy records and the site is continuing to go through all the documents separating sensitive from insensitive, research, training, purchase orders, employee personnel files etc.. in order to inventory the records to get an exact count of individuals affected. 11/22/11: The local IRT team members continued to review and catalog the documents. It was discovered that the employee has an authorized government provided thumb drive. The form authorizing the thumb drive noted personally identifiable information (PII) would be stored on the thumb drive. The employee was authorized to have the thumb drive but it does not appear she had the authorization to remove the thumb drive off station. Staff were unable to locate the thumb drive. They opened the locked file cabinets and had the Medical media staff member photograph the contents of the file cabinet to show proof of what was in the cabinets. At this time it appears that the staff member may have the thumb drive with her, which would indicate she has removed PII off the VA protected domain. The facility is in the process of drafting a letter requesting the employee return the thumb drive. 11/25/11: The letter has been sent to the employee requesting the return of the thumb drive. Cataloging of all records is still being done. 12/02/11: According to the PO, the facility Information Security Officer (ISO) has been given approximately 60 diskettes and 12 CDs Office of Resolution Managements (ORM)/Equal Employment Opportunity (EEO) to review for potential violations. Copies of faxed documents and emails show the employee appeared to provide a local news paper reporter with sensitive information about our staff, so the reporter could write an article. The ISO listened to recorded cassette tapes, three of which contained ORM/EEO recording of depositions by three VA employees. The ISO is awaiting the return of the thumb drive, we have received no response as of this date. 12/05/11: The PO and ISO continue fact-finding and continue to catalog and document the records found. 12/16/11:
Outcome:
The site has implemented record management procedures t ensure personally protected information is dispositional properly.