Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Northwest Network (VISN 20)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on November 18, 2011. Also cited in 208 other reports.
Report ID: SPE000000068829, U.S. Department of Veterans Affairs
Reported Entity: VISN 20 Seattle, WA
Issue:
A vulnerability was discovered on a shared listserv utilized by VA Puget Sound researchers, the Fred Hutchinson Cancer Research Center and possibly twenty-five other sites involved in Bone Marrow Transplant studies. An email/listserv was utilized by all twenty-five sites to share protected health information (PHI) and other research data. The Associate General Counsel for Fred Hutchinson Cancer Research Center contacted the Director, Human Research Protection Program that the "secured" email/listserv system utilized by the twenty-five research sites may have been "unsecured" since February 2009. Update: 11/22/11: The Privacy Officer (PO) is still awaiting word from the research group and Information Security Officer (ISO) in regards to the data elements that were unsecured and any other relevant information related to this ticket. 11/30/11: Fred Hutchinson Cancer Research Center has confirmed that VA patient data was accessible to the public via the web. They have not yet confirmed a solid number. Right now we believe there are upwards of 40 patients. The relationship with VA is primarily research. Patients sign an Informed Consent and HIPAA Authorization for data use. There is a Memorandum of Understanding (MOU) which is currently being reviewed by Counsel for validity. 12/05/11: A total of 44 patients can be identified whose name, full SSN and PHI including diagnosis, medication and lab results can be identified. These 44 patients will receive an offer for credit protection services. The emails were stopped, the data was removed from the web and they are looking into another method of communication.
Outcome:
The Director's Office is convening an Administrative Investigation Board (AIB) to more fully investigate this incident. Training on privacy policies and procedures will be conducted in conjunction with the ISO and Research and Compliance Offices. Monitoring letters sent.