Michael E. DeBakey VA Medical Center

Report ID: PSETS0000098566, U.S. Department of Veterans Affairs

Reported Entity: HOUSTON TX - 580

Issue:

MEDVA Social Worker notified VA Police dispatcher that her VA issued laptop and personally owned briefcase were stolen from the front seat of her vehicle. The laptop was encrypted. The briefcase is believed to have contained approximately 200 Veterans' patient information from the Housing Urban Development VA Support Housing program. Her government issued credit card was also stolen. The Privacy Officer (PO) is waiting for the employee to contact the PO or Information Security Officer (ISO) for more information about what was in the briefcase. The Houston Police Department provided the initial report number.

Outcome:

12/31/13: Per the PO, the laptop was left on the front seat of the employee's car in her personal briefcase. The following was in the briefcase. A spreadsheet that contained Veterans' last name, first name, telephone number, and some had addresses but not all. There were 52 Veterans' names. Of these, the full SSN was included for 31, 17 had partial SSN and 4 had no SSN. There was no protected health information (PHI). These Veterans are in the Housing Urban Development VA Support Housing program (HUDVASH). There was also a Scheduling Book that she had been keeping for about a year. There were no SSNs and no PHI in the Scheduling Book. The Book contained the Veterans' name, phone number and address. When asked if she could recreate the information in the Scheduling Book, she said no, but it should be the same Veterans on the excel spreadsheet. These are the patients she takes care of. No personal items were taken. It was reported to the VA Police and local Police. The VAPD will be sending Officers to the Post Office to review the security cameras. 01/02/14: The employee provided additional paper spreadsheets that were in the briefcase to the PO . The totals have changed to: Total Veterans-76 Full SSN-46 Partial SSN-24 No SSN-6 01/03/14: The laptop was last on the VA network on 12/28/13. It was disabled from accessing the network on 12/31/13 at 11:25 in the morning, as soon as IT identified what laptop it was. When the PO asked the VA Detective if he had gone to the Post Office to review the security tapes, he replied: "No I haven't. The last word and instructions I've received is that OIG is running with this case. We (the VAPD) wrote the initial report but upon OIG's adoption of this case per email dated 12/31/13, the VAPD is not conducting an active investigation of this case but rather, remain as a supporting agency for tasks such as entering the identifiable information of the stolen laptop into the NCIC computer, facilitating contact between OIG and MEDVAMC employees. Although I cannot speak for OIG and their investigation, I am confident they will follow every investigative lead associated with this case i.e. search for video tapes if they in fact exist." 01/08/14: The PO spoke with the OIG agent. It is ok to proceed with the notification. The OIG has not identified a suspect. The Incident Resolution Team (IRT) determined that 46 patients will receive letter offering credit protection services, since their full SSNs were exposed. The remaining 30 patients will receive letters of notification, since their names and home addresses were exposed.