VA Mid-Atlantic Health Care Network (VISN 6)

Report ID: SPE000000070804, U.S. Department of Veterans Affairs

Reported Entity: VISN 06 Durham, NC

Issue:

On 01/13/12, at approximately 4:30 PM, Doctor A noticed that his personal unencrypted MacBook Air laptop was missing from his office which was being gutted for new carpet placement. The laptop was last seen by Doctor B between 2:00 PM and 3:00 PM. Prior to gutting the room, staff members were asked to remove all valuable personal possessions or box them up for storage until the project is completed. Doctor A did not thoroughly remove/store his personal possessions. There is a chance that the laptop was boxed up and stored, but that cannot be determined until all the boxes are unpacked. There is no estimated completion date for that activity. Both Doctors A and B are in the habit of leaving their office door open during the normal tour of duty because they frequently go in and out to the Operating Room. Approximately 3 years ago Doctor A transferred the contents of his old personal laptop to the MacBook Air. One of the folders included letters to VA patients. Shortly after the transfer, that folder was deleted. However, Doctor A is not sure that one or more letters weren't accidentally stored in another folder. It is unlikely that VA patient information is obviously visible to the casual observer, however, we cannot discount the possibility that some information remains. The Service Chief, Chief of Staff, Director and Chief of VA Police were notified. If the laptop is found, Doctor A will contact the Information Security Officer. Recommendations for improved physical security were made to the Director. Update: 01/20/12: The Facility Police Service and the Information Security Officer (ISO) questioned the contractor who was installing the carpet. He did not see the MacBook Air and has voluntarily submitted a statement to the Police to that effect. The Facility has used this contractor for years without experiencing missing equipment issues. There are no cameras in this area. The Chief of Staff tasked an administrative staff member in the service with opening the boxes in which Doctor A stored his personal possessions for the renovation. She will begin searching the boxes today. Doctor A did not have a waiver to store information on his laptop. This facility has not authorized such storage since 2006. The ISO can only speculate as to why he wrote the patient letters on his personal laptop. Doctor A is on vacation and will return Monday. The ISO will get an answer to this question then. The Facility is investigating ways of recreating the group of patients to whom he sent letters. 01/23/12: As of this update, the laptop has not been recovered. The Administrative Officer (AO) of the service has been through the office of the Doctor in question to search the packed boxes and was not able to find the laptop. With the likelihood that the laptop is not recovered, the AO is working on generating a list of patients that would have been seen by Doctor A and therefore could potentially be impacted. The Doctor will return on Monday morning and will be working to find the laptop and verify the list. Once complete, the list of potentially impacted patients will be given to the Privacy Officer. 01/24/12: The ISO requested that Doctor A provide a plan with a due date for compilation of a list of patient names by tomorrow and copied the Chief of Staff and Associate Director. 01/25/12: There were a total of 65 Veterans whose information (medical and full SSN) was on the MacBook Air laptop therefore 65 Veterans will receive a letter offering credit protection services.

Outcome:

The letters were uploaded to the portal and mailed on 02/01/12. The Doctor has been notified not to store sensitive information on his laptop. The ISO requested improved physical security for the area with either use of the existing locks or installation of card readers or key pads for individual offices or the suite.