This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.

VA Southeast Network (VISN 7)

VISN 07 Birmingham, AL

Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on August 23, 2012. Also cited in 225 other reports.


Report ID: SPE000000079525, U.S. Department of Veterans Affairs

Reported Entity: VISN 07 Birmingham, AL

Issue:

A male Veteran approached the volunteer desk in the atrium and handed her a carbon ribbon that contained 220 patient names (full name, date of birth, and full SS#). Some of these names are possible duplicates. Though the ribbon contained 220 Veterans information, only the 1st 10 names were readily readable as the ribbon was still machine rolled. The Veteran stated he found the carbon ribbon outside of the building on the sidewalk. The volunteer did not have the Veteran stay to talk to the police, though the police were ultimately able to identify him and are attempting contact for a statement. The carbon ribbon was traced to a zebra printer in GI Lab. Actions taken, so far include: 1. VA Police will notify IG 2. The Privacy Officer and ISO will review the current process for disposal of carbon ribbons from Zebra printers facility-wide. The current practice is to dispose of the carbon ribbons in the Shred-it bins. 3. VA Police have gathered statements from the clerk involved, who reports he changed the ribbon on 8/21/12 and stated "he always put it in the shredded bin". An RN in GI was being taught how to change the ribbon so she also has forwarded a statement, along with the volunteers. 4. The Shred-IT Company emptied the bin on 8/21/12 in GI.5. The ISO/PO has notified medical center leadership, the VISN 7 ISO, Region 3 RISD, facility CIO, VISN 7 CIO, and acting VISN 7 NISO Update: 08/24/12: Letters offering credit protection services will be sent to 10 Veterans. The tape was found by a Veteran who turned the tape into a volunteer who turned it into the VA Police. The VA Police in turn reported this to the IG. The Veteran, volunteer and the staff that are in the clinic were all questioned. The clerk who changed the tape stated they did put it in the shred bin the same day that the shredding contractor came to get the shred bin. The area that the tape was found is the same area the truck from the shredding company was parked so it appears that the tape simply fell out of the bin while it was being emptied into the shredder. The tape is approximately three feet wide and is factory wound on spools. It was still very tightly wound and would have been extremely difficult to wind the tape backup as it originally was. In-between the spools there is some loose, exposed printer ribbon which had six unique names and social security numbers displayed. The ISO did unwind the printer ribbon to inventory the remaining information and he found 188 unique names and social security numbers. The OIG did come onsite today and questioned all involved, including the shredding company. The ISO has not yet received a report from the OIG. The ticket has currently been coded for 10 credit protection services. The site believes there is no reason to suspect malicious intent and has no reason to suspect the 188 names and social security numbers have been revealed. The offers for credit protection service can now be changed to six.

Outcome:

Credit monitoring letters mailed 9/11/2012. BVAMC Police consulted with the Inspector General (IG) who advised no further action required. Environmental Management Service (EMS) contacted contractor to discuss the issue. No fault determined to be on the employee.

Related Reports:

Do you believe your privacy has been violated? Here’s what you can do: