VA Midwest Health Care Network (VISN 23)

Report ID: SPE000000073076, U.S. Department of Veterans Affairs

Reported Entity: VISN 23 Omaha, NE

Issue:

While VA Police were conducting security checks of the exterior buildings, they encountered a man going through a shredding container behind an out building. The man fled off campus when he saw the Police. It is unknown if the suspect fled with any items from the containers. The Police stated that the bin contained contracts, emails and patient information. Update: 03/20/12: The VA Police originally reported that less than 50 documents were in the shred bin, but after the Privacy Officer reviewed them, she found individually identifiable information for 126 Veterans. Some of these documents have names, full SSNs and dates of birth. Others have names and last four of SSN or names and address. The VA Police notified OIG who declined the case. There are no cameras that view the area where the shred bin was. The shred bin was not locked and was not supposed to be located outside. 03/30/12: The final counts are 130 Veterans with full SSN disclosed and 13 Veterans with only name and address on the documents. The 130 will be offered credit protection services and the 13 will be sent letters of notification. 04/25/12: On further investigation, the bin was actually a recycle bin, not a shred bin. The employee placed it incorrectly in the recycle bin. 05/14/12: After further review, only 38 individuals had full SSNs or dates of birth disclosed. These 38 will be offered credit protection services.. 97 had information disclosed that will require HIPAA notifications to be sent. Resolution

Outcome:

The Privacy Officer educated the staff in the department. With the support of the Director's office, the facility also immediately implemented 100% shredding of paper in the facility. An email was sent out to all staff. The facility changed the shred contract to allow for more volume and is ordering more shred bins from the contractor. Letters have been sent out