Rocky Mountain Network (VISN 19)

Report ID: SPE000000059281, U.S. Department of Veterans Affairs

Reported Entity: VISN 19 Salt Lake City, UT

Issue:

A contractor for a bio-medical device company had his car broken into. Some written material and an encrypted laptop that contained some Personally Identifiable Information (PII) were stolen. Update: 03/14/11: The laptop was encrypted. The written material consisted of a book that has entries utilizing full patient names. The contracting company is in contact with the Information Security Officer (ISO) and will be updating the ISO as their investigation continues into how many names are in the book. 03/15/11: The laptop and "black book" have been located at another facility. The other facility is possibly not a VA facility. The bio-medical company's ISO/PO will be reviewing the laptop to determine if anyone accessed the laptop during the time it was missing, and will provide the results of that review to the VA ISO evaluating this incident. The ISO is requesting the names and types of information recorded of VA patients on the laptop and the "black book". 03/21/11: The ISO is still waiting to receive the list of names and information in the "black book", he has been told he will be receiving the information today (03/21/11). 03/22/11: The scan of the laptop has returned and indicated the laptop had not been logged into, or even powered on during the time the laptop was out of the contractor's possession. Scanned copies of the "black book" have been provided to the ISO. 03/22/11: Upon further review of the information in the "black book", notifications are needed for Veterans whose pacemaker information was listed with their names.

Outcome:

HIPAA notification letters have been sent to 33 patients and the next of kin to 4 deceased patients. The vendor rep who misplaced his laptop and other documentation has been re-educated regarding the responsibilities of vendors to protect VA sensitive records.