Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA Heart of Texas Health Care Network (VISN 17)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on September 14, 2012. Also cited in 122 other reports.
Report ID: SPE000000080177, U.S. Department of Veterans Affairs
Reported Entity: VISN 17 San Antonio, TX
Issue:
A VHA Without Compensation (WOC) Research Coordinator had her personal laptop and a Research voucher stolen out of her car. She had two VA Research database files on her personal laptop. The laptop was not encrypted. She was not authorized to have this information on her personal laptop. This Research study includes both Veterans and non-Veterans. One database had a total of 168 names, 31 of them were identified by the subject code number (not identifiable) and the remaining 137 were identified by initials and last four digits of the SSN (i.e. mlw 1234). The only other information on the database was the study name, study date, assay, and processed date. The second database is a statistical database and can only be opened with the statistical software. It has the subjects identified by subject code number only. The paper document which was stolen had a subject's signature and full SSN. Her name was not typed on the form. No other information was on form. There was only one paper document along with the two files on her personal laptop. Update: 09/18/12: The stolen laptop was reported first to the San Antonio Park Police Department and then the next day to VA Police. VA Police did not do a report since it wasn't stolen on VA property and it was personal item. The WOC Research Coordinator had approval from the Institutional Review Board (IRB) and Research and Development (R&D) to store the information on the University of Texas Health Science Center at San Antonio (UTHSCSA) Division of Epidemiology and Biostatics folder which is FIPS 140-2 compliant. She then emailed the information from the UTHSCSA folder using secure email to her personal laptop, which she was not authorized to do. The type of disciplinary action/course of action is still in discussion with management and therefore still pending. None of the data on the laptop is identifiable. The paper document contained one subject's full SSN and signature. The one subject will receive a letter offering credit protection services.
Outcome:
VHA - Individual responsible has been suspended from any subject research activity for 10 days and will re-take Information Security/Privacy training. On the UTSHCSA side, disciplinary actions are still pending.