Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA Sunshine Healthcare Network (VISN 8)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on January 17, 2012. Also cited in 369 other reports.
Report ID: SPE000000070757, U.S. Department of Veterans Affairs
Reported Entity: VISN 08 Tampa, FL
Issue:
A VHA clinician sent an unencrypted email with VA protected health information (PHI) in the form of photographs and radiology images to her private email accounts and accessed and stored those images on her personal equipment. The email also included full SSN and date of birth. Update: 01/20/12: This ticket was entered as a result of an initial OIG report investigating this potential incident. The Privacy Officer (PO) sent OIG an email requesting the number and names of the individuals who may be affected by this incident. 01/26/12: The PO received copies of 2 unencrypted emails from OIG that the VHA employee sent to a non VHA employee. The first email contined 3 patients' full name and image and the second email contained 3 patients' last name, last four digits of the SSN and the image. The individual has indicated the images have been removed, but that has not been confirmed yet. The Information Security Officers (ISO) are working on obtaining a software program to be used to ensure the personal devices are clean. 01/30/12: The clinician is still on duty, personal iphone and computer is to be brought to the ISO for review. She indicates info has already been deleted, ISOs will not touch but will watch to ensure all VHA material is removed. One message was from VHA Outlook to personal phone. The second was from her personal phone to another person's personal phone. 02/02/12: The six patients will receive a letter of notification> The PO will verify that OIG is aware and agrees with VA sending the notification letters at this time. 02/15/12: This is not HITECH reportable since the date this happened was prior to 9/23/09.
Outcome:
Administrative action is ongoing as the event involved conflict of interest, privacy and HIPAA, failure to follow policy, misuse of resources, and gratuities. Director is working with VISN, General Counsel, and HR on extent of administrative action and final resolution. Corrective action - ongoing in conjunction with other aspects of event and policy violations.