Northwest Network (VISN 20)

Report ID: SPE000000072456, U.S. Department of Veterans Affairs

Reported Entity: VISN 20 Portland, OR

Issue:

A Radiology Resident reported that he is unable to locate a personally owned USB storage drive on which he has maintained a spreadsheet of the procedures he has participated in. He reports it has not been seen since late December 2011 or early January 2012. An electronic backup copy of the spreadsheet has been sent to our facility Privacy Officer (PO). The spreadsheet shows the type of procedure, the date, and an identifier for 199 Veterans. On the copy of the spreadsheet, 138 individuals are identified using the Veteran's last initial and the last 4 digits of their Social Security Number and 59 are identified using their full last name and the last 4 digits of their Social Security Number. The Information is included for procedures dated from 01/05/10 to 10/05/11. A separate tab on the spreadsheet contained VA and University networks, patient record systems, and radiology package passwords. The facility PO has communicated this information to the University Information Security Officer (ISO) so they are aware of the account vulnerability. The local VA Information Security Officers (ISO) have already requested the passwords be reset.A review of the VA network access log for the Resident's account shows limited activity since December. Update: 03/09/12:The 59 Veterans with last names disclosed will be sent HIPAA notification letters.

Outcome:

The residents at the facility have been reminded that they are not to leave the facility with any VA patient data. The resident had his VA network and medical record access accounts disabled until he had repeated the required VA information security and privacy training module for trainees.