Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA New England Healthcare System (VISN 1)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on January 11, 2013. Also cited in 204 other reports.
Report ID: PSETS0000084535, U.S. Department of Veterans Affairs
Reported Entity: VISN 01 Boston, MA
Issue:
An employee of an on-site research institute is suspected of identity theft of approximately 150 VA employees. This affiliate has the individually identifiable information (III) of approximately 150 VA employees. Update: 01/11/13: At this time the incident must remain completely contained as jurisdiction is decided and the investigation continues. The Privacy Officer (PO) will not receive an update for at least one week. A list of employees, mostly Without Compensation (WOC), will be sent to the PO in paper form in a secure envelope. Their Attorney reported that they may be required by the State of Massachusetts to provide notification if it meets the requirement. 01/14/2013: This incident is under investigation. 01/18/13: The Attorney was out but the PO was able to talk with the Human Resources (HR) assistant that has the list of employee names. She was in attendance at the meeting the PO had with them last week. She has not released the names to PO yet due to this being an active investigation. She reported that the employee in question was contracted out of an agency that claims they did conduct a background check. She also reported that notification responsibility may fall upon that agency or the Boston VA Research Institute (BVARI) and not VA depending on the business agreements/contacts in place. (A background check was never completed by VA and was requested as the employee in question was in the WOC process. They noted in hindsight it now appears that this employee was stalling his WOC appointment). 01/22/13: The incident is still under investigation by the OIG. 02/4/13: This incident is still under investigation by the OIG. 03/05/13: The name of the organization is BVARI, Boston VA Research Institute. The PO will investigate the specifics of the relationship and report. Their Offices are located at our Jamaica Plain Campus. All of their employees are fingerprinted and given badges for access to the building. Many of the researchers are VA employees. They do have an attorney and the PO initially asked for information regarding their contract with VA. She will need to follow up on that request. She does not know if there is a BAA. She will also update the information in the ticket to reflect that the contracted employee had access to SPI, names, addresses and SSNs of the employees because he was in the HR area filing paperwork. 03/12/13: The suspect had access to 174 people's information, possibly 5 more, 179. They were able to get into some HR areas.This will be getting 174 (or 179) CPS. The OIG has been asked if they can send the CPS letters 04/26/13: update 200 Credit protection service will be offered to the individuals who had their SSN at risk. 5-13/13: final count was 183 instead of 200.
Outcome:
Federal indictment for responsible employee. Credit monitoring letter mailed to 183 individuals that may be impacted.