Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA Mid South Healthcare Network (VISN 9)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on August 10, 2011. Also cited in 328 other reports.
Report ID: SPE000000065624, U.S. Department of Veterans Affairs
Reported Entity: VISN 09 Memphis, TN
Issue:
Two Veterans called and spoke with the Privacy Officer alleging that a VA employee is accessing and sharing their medical information with outside individuals who have no need to know. On Monday (8/8/2011, a guy called and reported to the Privacy Officer that his ex-wife works for the Memphis VA Medical Center and she has accessed and shared his medical information on Facebook. On Tuesday (8/9/2011) a female Veteran also called and complained to the Privacy Officer that the same VA employee is accessing and sharing her medical information with her ex-husband, who is the first complainant. The female Veteran and the guy were one time married couples but they are divorced now. They both are pressing privacy violation charges against the Memphis VAMC employee for unlawfully accessing their medical records and sharing their sensitive medical information. Update: 02/01/13:Two (2) Veterans will be sent a notification letter.
Outcome:
The VA employee who was investigated provided excuse that as a VA employee, she has right to log into CPRS\VistA to look up and provide information to patients. She insisted the complainant called to ask her to verify his upcoming clinic appointments. PO and ISO noted the employee actions violated VA Privacy and Information Security rules since she was not performing her official VA job at the time she went into the complainant's medical record. Secondary, the complainant medical records is flagged as sensitive, and that she should have paid attention to the security alert popup. Thirdly, as an RN, her official VA job does not involve clinic appointment scheduling; she should have transferred the complainants call to outpatient clinic appointment schedulers to assist him. The employee concurred that her actions violated VA Privacy and Information Security rules. She also understood that by accessing complainants medical records without need-to-know, her actions violated his personal privacy. On the part of the second complainant, the employee explained she and the complainant were friends a couple years ago. She also explained that complainant used to be calling her to request her to provide information from her Compensation and Pension (C&P) record. In her defense, she stated the complainant willingly provided her with full SSN otherwise she (VA employee) would not have had any idea about her SSN. Follow up with complainant indicated that she never made such calls to this VA employee requesting for information. She stated the VA employee was married to her ex-husband and that she knew her friend was capable of sharing sensitive information from her medical records with him (ex-husband). PO and ISO found that the VA employee violated complainants personal privacy and VA Privacy and Information Security rules. VA employees have been educated to refer Veterans\patients to Release of Information (ROI) Office to sign consent before information from their medical records can be released. This case is considered close as of 9/23/2011. PO received signed notification letters from the Medical Center Director's Office this evening and will mail them tomorrow monring.