Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA Mid South Healthcare Network (VISN 9)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on October 5, 2011. Also cited in 328 other reports.
Report ID: SPE000000067453, U.S. Department of Veterans Affairs
Reported Entity: VISN 09 Nashville, TN
Issue:
Privacy Officer's (PO's) became involved with this incident on 9/28/11. A string of encrypted Outlook emails was forwarded the PO's to investigate a possible privacy breach of an employee/Veteran's CPRS Record. On or about 9/21/11 - It had been reported that this employee/Veteran was involved in a possible incident of workplace confrontations. On 9/22/11, the VA police became involved and at that time accessed this employee/Veteran's VISTA Patient Inquiry Account. VA Police then went to a Supervisor in the Business Office and requested the Supervisor access CPRS to print out a picture of this employee/Veteran. A Sensitive Access Report (SAR) shows this Supervisor did access CPRS on 9/22/11, along with a statement from this Supervisor. Also on 9/22/11, Quality Management Service (QMS) prepared an Issue Brief reporting the civilian arrest of this same Employee/Veteran. The Issue Brief was reporting this incident due to his employee status, however, in the Issue Brief,they included the statement that this 28 year old employee is an OEF/OIF Veteran who is 50% Service Conncted and then included 7332 Diagnosis. SAR shows access to this CPRS record on 9/22/11 by the QMS employee who prepared the Issue Brief. The Issue Breif was provided to TVHS leadership and the VISN. The Issue Brief was then forwarded to other staff to include an OEF/OIF Program Manager who then copied and pasted a portion of a Compensation and Pension Exam CPRS Note of this Employee/Veteran in the e-mail. A SAR supports this person accessed the record along with a written statement from this employee that they did access the record. The recipient's of the e-mail discussion after the initial Issue Brief was sent, included various Management staff at TVHS. When this e-mail was received by Human Resources Service, they recommend Privacy Officers be notified to investigate whether the medical information provided in the e-mail was obtained with or without Consent of this emmployee/Veteran. It is the opinion of the Privacy Officers that this incident was reported as an employee issue and access to any of the employee/Veterans VISTA and CPRS records was done so without proper authority. This includes the VA Police accessing VISTA Patient Inquiry Account and then asking a Supervisor to access CPRS for a photo, the QMS employee who accessed CPRS to prepare the Issue Brief and the OEF/OIF employee who accessed CPRS and pasted a portion of a CPRS note. Update: 10/05/11: The Employee/Veteran will be sent a letter offering credit protection services due to full name, full SSN and PHI being inappropriately accessed.
Outcome:
PO determined some accesses to this record were inappropriate. PO personally provided additional training to both the employees from the Business Office that were involved with this incident, as well as all of Social Work Service as it relates to appropriate access to Veteran/Employee CPRS records. A station-wide e-mail was also sent to all TVHS Employees reminding them of inappropriate accesses. Appropriate action is also being taken against some of the employees involved with this incident. HIPAA Notification letter is being mailed to this Veteran/Employee this date and is provided as an attachment.