Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA Mid South Healthcare Network (VISN 9)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on July 9, 2012. Also cited in 328 other reports.
Report ID: SPE000000077627, U.S. Department of Veterans Affairs
Reported Entity: VISN 09 Memphis, TN
Issue:
The Privacy Officer (PO) received an email from a VA staff member from the from Purchase Care Department stating that she spoke with a Veteran regarding a denied claim. She stated during their conversation, the Veteran's wife hinted that in February 2012, her husband received a denied claim from Memphis VAMC which had two other Veterans' claim letters attached. The Purchase Care staff asked about the names of the Veterans involved and then notified the Assistant Chief of the Business Office. Copies of the claim letters have been forwarded to the PO for follow up with the complainant. Upon review of the claim letters, the PO noted that it contains mailing (home) address and the Health Care Finance Administration (HCFA) ID numbers of the affected Veterans. The PO will call the complainant to request for the two claim letters to be mailed to Memphis VAMC Privacy Officer. Update: 07/10/12: The two Veterans will receive a HIPAA notification letter
Outcome:
PO conducted a fact-finding and met with one of the VA employees believed to be responsible for this incident. This VA employee is deaf and requested for an interpreter. Meeting started at 3:00 pm. Employee admitted that she is responsible for what occured. She stated that she has always paid close attention to ensure that no more than one claim letter is put into an envelope but she admitted this particular incident happened by accident. She pledged her support to ensure incident like this will never happen again. Employee has not taken VA Privacy and HIPAA training as of the time of the fact-finding. Emplyee stated she has taken her VA Privacy and HIPAA training. PO verified training in TMS, employee completed training in April 2012. PO stated to her that this incident has resulted in PII compromise since the claim letters contained mailing address of the affected Veterans. PO discussed VA National Rules of Behavior with employee and requested her to take it back to her office to review it thoroughly. PO explained the implication of reviewing and completing the VA National Rules of Behavior. PO requested employee send a signed copy of this document to be filed with the fact-finding records and another copy to be sent to her supervisor. Tomorrow, PO will submit two notification letters to the Medical Center Director for his signature. On 7/30/2012, PO uploaded redacted copy of Notification letters; all fact-finding meetings completed and complaint has been resolved. PO has notified Supervisor about the outcome of the fact-finding and necessary follow up.