Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Veterans In Partnership (VISN 11)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on June 14, 2011. Also cited in 213 other reports.
Report ID: SPE000000063670, U.S. Department of Veterans Affairs
Reported Entity: VISN 11 Detroit, MI
Issue:
On the second day of an Information Technology Oversight and Compliance (ITOC) inspection, the ITOC inspector requested to see the hard copy, wet signature Rules of Behavior (ROB) forms on 5 employee/contractors to see if the documentation was on file. Two of the five requested forms were found. Office of Information and Technology (OIT) staff were requested to pull the ROBs since they were stored there. The following day the ISO was informed that OIT no longer had the books because the binders were tossed out during a move. The binders were clearly labeled chronologically and alphabetically. The ISO asked the OIT staff to look everywhere in case they were misplaced during the move from the 7th floor back to the basement. The OIT staff looked for the documents all over the department for 4 days. One of the OIT employees stated that the binders were tossed in the trash during the move from the 7th floor. This incident happened almost a year ago, was only discovered several days ago, and confirmed on 06/14/11. The documents thrown out included all of the computer access forms from the beginning of the VISTA computer system through 2005. Also thrown out were documents of VISTA patches and VISTA programs. Update: 06/15/11: The ISO requested that OIT pull a VISTA report of VISTA employees from Feb 1987 through Dec 31, 2005. When completed, the ISO will send the total number of employees to the NSOC. The personally identifiable information (PII) included on the computer access forms were full name, date of birth and full SSN. Beginning in 2007 when OMB instructed all Federal Agencies to remove the full SSN, the access forms were changed to include the last four of the SSN instead of the full SSN. 06/23/11: After removing duplicates, the number of affected individuals stands at 18,557. All of these had at least full name and date of birth on the forms. Some also included full SSNs. IT staff are continuing an extensive search of the facility in order to be certain the binders are missing. 06/28/11: The national Data Breach Core Team (DBCT) decided that credit protection services/next of kin notifications will need to be done for all employees on the list. After removal of additional duplicates, the final number that has been accounted for in the report is 10,115 users. 07/05/11: The most recent review of the list of employees indicates that 66 are deceased and will require next of kin notification. 08/02/11: The final numbers are as follows: 5,108 total with addresses who did not die as an employee (credit monitoring offers) 54 total with addresses who died as an emplooyee (next of kin notifications) 4,939 total without addresses who did not die as an employee 14 total without addresses who died as an employee
Outcome:
New security measures have been implemented for the remaining documents and a more secure mechanism for maintaining these records in the future has been put in place.