Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA Heartland Network (VISN 15)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on February 28, 2013. Also cited in 149 other reports.
Report ID: PSETS0000086266, U.S. Department of Veterans Affairs
Reported Entity: VISN 15 Marion, IL
Issue:
A report was received that an employee was overheard talking to her daughter about a Veteran's medical appointment on 02/27/13. On 02/28/13, the employee allegedly was overheard talking with the Veteran, reassuring him that his medical information would remain confidential. This complaint is currently under investigation by management. Update: 03/12/13: A fact-finding meeting was held with the employee in question, her union representative, supervisor, and the Privacy Officer (PO) on 03/01/13. During the meeting, the employee denied discussing the Veteran's appointment or medical information with the employees daughter on 02/27/13. The employee stated that her daughter, who is in a new personal relationship with the Veteran, had shared with her (VA employee) that the Veteran was nervous about meeting her during his appointment on 02/28/13. The VA employee is the clerk in a behavioral health clinic. Per phone records, the employee utilized the VA telephone system to contact her daughter. The employee was advised that it is inappropriate to acknowledge or discuss the Veterans appointments with her daughter or with anyone outside the Veterans healthcare team. The employee was asked if there was a valid business purpose to contact the Veteran on 02/28/13, following his medical appointment. She stated that she felt she was doing her job by calling the Veteran to reassure him that his medical information would remain confidential. She stated that she had sensed that the Veteran wanted to talk to her following his appointment. The employee was asked if she had retrieved the Veterans telephone number from his CPRS records. She stated that the Veteran had provided her with his phone number last weekend, and that his number was already stored in her cell phone. The employee stated she had not accessed the Veterans medical records since her daughter began seeing the Veteran. She also stated she had not shared any of the Veterans medical information with her daughter, including his behavioral health diagnoses. The employee also denied sending text messages concerning the Veterans VA care and/or appointments to her daughter or to the Veteran. The employee shared with the panel that she had discussed the information surrounding her coworkers allegations with her daughter and the Veteran (the evening prior to this meeting), and that the Veteran had shared that it was okay to contact him. It was explained to employee that it was inappropriate to discuss this incident, as the incident was under investigation. The employee was advised not discuss any further investigatory information with anyone, including her co-workers, the Veteran or her daughter. This was re-emphasized by her union representative. Reports of Contact (ROC) were submitted by two of the employees coworkers. There are notable inconsistencies between the ROCs and the employees statement. The Veterans provider was also contacted. The provider stated that she had shared with the employee that she had reassured the Veteran during his appointment that the employee (his girlfriends mother) is very professional and would maintain confidentiality of his information. She stated that did not advise the employee to call and reassure the Veteran of this. Employee has been reassigned to a different clinic, pending outcome of this incident. Information has been shared with Human Resources (HR) Labor Relation (LR) for appropriate administrative actions/recommendations. 03/13/13: The Veteran will receive a HIPAA letter of notification.
Outcome:
The following measures have already been taken to lessen the likelihood of future incidents of this nature: 1) To further protect your medical information, including your contact information, your records have been marked with a higher level of security. 2) Education has been provided to the employee in question. 3) Appropriate administrative actions will be taken against the employee in question. 4) Employee will be advised to retake the FY 13 Privacy and Information Security and Privacy and HIPAA Training modules in TMS.