Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA Sunshine Healthcare Network (VISN 8)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on April 4, 2011. Also cited in 369 other reports.
Report ID: SPE000000060392, U.S. Department of Veterans Affairs
Reported Entity: VISN 08 San Juan, PR
Issue:
A Facility Management Service (FMS) supervisor was performing rounds and discovered unopened and opened bags with patient and employee information in the hallway of the 7A ward. Update: 04/04/11: A quick investigation revealed that the bags were left unattended on 03/30/11. The information includes patients' and employees' names, full SSNs, diagnoses, 7332 information, medications and other identifying information. The entire Medical-Surgery unit moved to a new location and they left all the documents that were supposed to be disposed of in this public hallway. There are no cameras in the hallway. The bags were located approximately 12 feet from a public elevator. 04/07/11: The Director of the facility has authorized a team of 20 to help count and categorize the documents. They will work through the weekend of 04/09/11-04/10/11 to complete the counting. At this point over 1,600 individuals have been identified. 04/08/11: The team has identified 8,624 names, but duplicates have not been taken out at this point in the process. 04/11/11: A team of 80 employees reviewed the documents over the weekend and all paperwork has been reviewed. Duplicates are being eliminated today. No final count has been given at this time. 04/12/11: Duplicates are still being determined, and no final count is available. The DBCT has decided this will require notifications and/or credit protection services offers. This will be a HITECH Act reportable incident. 04/14/11: The counts are as follows: 1,691 offers for credit protection services (full SSN disclosed, 1,489 next-of-kin notifications (deceased Veterans with full SSN disclosed), and 8,860 HIPAA notifications (medical information, but no full SSN). The 8,860 number could decrease if additional duplicates are found. 04/19/11: These are the final counts per the Medical Center Director: 1690 credit monitoring 4323 for notification letters (includes Next of Kin notifications) 6013 Total 05/17/11: VACO has approved the 3 letters (HIPAA, Next of Kin, and Credit Protection Services), the question and answer document, and the press release. The Incident Resolution Team has forwarded these to the facility. 05/19/11: The final counts of letters which were sent today were: 1690 credit monitoring and 4316 letters of notification. The press release will be done on May 20, 2011. 08/04/11: 73 Veterans could not be located so the number of credit monitoring offers have been lowered to 1,617. 09/06/11: To comply with the HITECH Act, San Juan has posted their conspicuous notice on their web site.
Outcome:
All documents were secured immediately when this was discovered. The employee responsible for this breach has resigned. All service chiefs and nurse managers were informed of the incident and a reinforcement of privacy and information security regulations were communicated to all staff. Procedures have been put in place to prevent this from happening again, including: nursing leadership now conducts rounds on wards immediately after they are vacated; a facility deactivation team, led by the Director, will conduct additional rounds on each unit if it is vacated; a campaign to re-emphasize the requirement to comply with privacy and information security policies was initiated for the entire facility; actions have been taken to review and enforce the facility's records management policies.