Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Phoenix VA Health Care System
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on May 27, 2015. Also cited in 102 other reports.
Report ID: PSETS0000120022, U.S. Department of Veterans Affairs
Reported Entity: PHOENIX AZ - 644
Issue:
On 05/06/14, a Veteran patient was consented to a VA research study with an invalid HIPAA authorization (signature not dated). On 05/27/15 during a routine internal Quality Assurance audit, the study staff noticed the signature page of the HIPAA authorization was not scanned to CPRS. Checking the original paper documents in the research files revealed the signature page was not dated and therefore wasn't valid, meaning the study unintentionally collected and used patient data for research without an authorization or waiver. The study comprises one visit in which the subject fills out some de-identified personality and food habits inventories, and the results are compared to the patient's CPRS data for diabetes control. One standardized personality test, strictly de-identified (test answers and a sequential study subject ID# only), was scored using an academic collaborator's fill-in-the-bubble form reader, but otherwise no information from the study left the VA. Patient data used without legal authority include the personality and food intake tests, and CPRS data relating to diabetes control; as well as demographic data (name, address, DOB, last 4 digits of SSN, and the index to the sequential subject ID#), which is stored in a key file separately from the study's personality/food inventory tests and diabetes data, on a secure VA server drive. The incident was reported to Research Privacy Officer (PO) upon discovery on 05/27/15. Remediation to date has consisted of evaluating the risk and advising the reporter to notify the Institutional Review Board (IRB). Research PO has allowed the subject's data to remain with the study while the Principal Investigator (PI) pursues a stated plan to obtain a waiver of HIPAA authorization from the IRB that would permit use of the improperly-collected data for research.
Outcome:
05/28/15: The Incident Resolution Service Team has determined that there was a policy violation. While there was an unauthorized access/disclosure of data, it has been determined that the incident has a low probability of a risk of compromise.