New Mexico VA Health Care System

Report ID: PSETS0000107332, U.S. Department of Veterans Affairs

Reported Entity: NEW MEXICO HCS - 501

Issue:

A folder containing multiple patients information including full names, SSN's, and other medical information was found in a ladies' restroom on the first floor of Bldg. 41 and brought to the HIMS/HAS Chief Record's Manager. Preliminary review of the folder by the HIMS/HAS Chief indicated there were 3,463 patients information contained in this folder and 3,427 full patients SSNS. There is evidence to suggest this folder belonged to one of the release of information clerks. The HIMS/HAS Chief was going to be meeting with the employee who allegedly misplaced the information/folder on 08/01/2014.

Outcome:

08/01/14: The Privacy Officer reports that this was found in a public restroom in one of the main lobby areas of the medical center. It was found at approximately 4:00 PM on 07/30/14. At this point of the investigation, the documents are believed to have been left in the restroom for less than two hours. The folder was left by a VA employee who was scheduled to have a meeting with HR and union officials. It appears that the document containing the patient names and SSNs was printed to show the employee's workload. The majority of the names and SSNs were on this ROI workload report. The report columns on the listing were: patient name, SSN, first or third party request, and status of request. Approximately 80 ROI request forms were also in the folder, which contain the patient name, date of birth, SSN, and what information was being requested, which could be clinical information. When questioning the employee about the folder, the employee stated that she had been storing the information in the trunk of her car, but changed that story later in the interview to say that she never took it off VA grounds. The Privacy Officer and Chief of HIMS are continuing to investigate the incident. This will be discussed during the 08/05/14 DBCT meeting. 08/05/14: The DBCT determined that since the information was left unattended in a public area of the Medical Center for approximately two hours during the work day, that there is a risk of data breach. All Veterans whose SSNs were disclosed in the file will be offered credit protection services. This is a HITECH Act reportable breach. The Privacy Officer is researching the other 36 patients who did not have their SSN disclosed to see what information was disclosed on them. At this point 3,427 Veterans will be offered credit protection services, and a press release will be required. 08/07/14: The PO has revised the total number of individuals affected to 2,670 after duplicates were removed. 08/20/14: The PO will check on the status of the draft press release to assure the Incident Resolution Service Director has time to review it before it is released. The facility is preparing a mail merge to get ready to send the credit monitoring letters. 09/10/14: Several more duplicates have been removed. The final numbers are 2,543 credit monitoring letters, and there will be 114 next-of-kin notifications sent. 09/15/14: The letters have been sent on 9/12/14 and the press release was done on 9/13/14. The press release was scheduled for 9/16/14, but one of the recipients contacted the press and the facility felt that the press release should be done immidiately.