VA Southeast Network (VISN 7)

Report ID: SPE000000067647, U.S. Department of Veterans Affairs

Reported Entity: VISN 07 Birmingham, AL

Issue:

On 10/11/11, between 5:45 PM and 6:15 PM, a log book with personally identifiable information (PII) and protected health information (PHI) was stolen from a VA physician's car. This log book contained the following information on approximately 377 patients: full name, full SSN, DOB, name of procedure, date of procedure, and follow-up required. A Police Report was filed and the Privacy Officer (PO) will obtain a copy. The list of Veterans involved has been re-created. Update: 10/13/11:The 377 Veterans will be sent a letter offering credit protection services due to full name and SSN being disclosed.10/17/11:The logbook was being used to track procedures performed by the provider during his fellowship. The provider carried the log book home each night and would enter the information into a system called "e-value" which is used by an affiliate hospital to track the progress of patients.

Outcome:

Credit Monitoring letters were mailed to all affected Veterans or next-of-kin on 10/20/11. The physician was counseled and has re-taken the VA Privacy and Information Security Training. The Affiliate Program Director was notified of the breach. All gasto-intestinal (GI) residents/fellows were instructed to immediately stop entering any PII/PHI into the e-value System as of 10/13/11. The PII/PHI was removed from the e-value system for the GI training program on 10/13/11. The PO and ISO are developing a summary of privacy/security requirements to be given to all physician trainees as part of orientation to emphasize requirements. An investigation is being conducted to determine other users of e-value system (or like systems) and appropriate action to be taken (see related SOC Ticket 67757).