Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA Mid-Atlantic Health Care Network (VISN 6)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on January 23, 2013. Also cited in 187 other reports.
Report ID: PSETS0000084949, U.S. Department of Veterans Affairs
Reported Entity: VISN 06 Durham, NC
Issue:
A Durham VA Prosthetics representative went to an off-site warehouse on 12/13/12 to remove VA equipment. The warehouse was owned by a vendor who was under OIG investigation and is no longer in business.They found a large trash barrel full of documents in the warehouse. The Durham VA staff brought it back to the Prosthetics main office. In the files were things like sales quotes, sketches of ramps or other structural plans, checklist forms about the condition of the home, etc. Some had patient name and address. Four had last 4 of SSN. The warehouse was locked at the time of the visit but there is no way to know what level of security existed at the site. The property is under foreclosure. After sorting the paperwork by VA Medical Center, it was determined that 13 of the individuals belonged to the Durham VA and the paperwork that belonged to the other VA Medical Centers was securely distributed to the Privacy Officer at that medical center. Update: 01/28/13: There is no evidence to suggest that the documents were at risk of compromise at the vendors' warehouse. The PO was told that the warehouse was locked upon arrival. The Durham VA and VISN 6 no longer use this vendor for prosthetics equipment. The vendor was under investigation by the OIG for collecting funds but not providing services or items to Veterans. This occurred approximately 2-2.5 years ago. The OIG special agent who investigated the case was present on 12/13/12 and found the trash barrel full of documents in the warehouse. He states when they arrived at the warehouse they had to wait for someone to unlock the building. A representative from the company who foreclosed on the vendor unlocked the warehouse for the VA employee and OIG. 01/30/13: The trash barrel was not secured in any way. There was no closed top. It was sitting open in the warehouse. There was no additional physical security surrounding the warehouse. The business is in a row of other businesses accessible from the front and back to the public. No cameras were observed in the area. After the vendor vacated the warehouse, the keys to the business were with vendor's Attorney until the morning of 12/13/12. The representative from the foreclosing company retrieved the keys from the Attorney on the morning of 12/13/12. OIG and VA staff arrived at the business before it was unlocked and waited for the representative from the foreclosing company to arrive. When he did arrive, he opened the back bay door to allow them access. There was a Business Associate Agreement in place and the vendor that stated that the protected health information (PHI) provided by the Covered Entity to the Business Associate and its contractors, subcontractors, or other agents, or gathered by them on behalf of Covered Entity under the Agreement is the property of Covered Entity. 02/13/13: This case is still under investigation. 02/14/13: The PO was in contact with the attorney whose client currently owns the warehouse where the trash barrel was initially found. The attorney states there is another box of information in the warehouse. The attorney states the warehouse locks were changed on 12/13/12 and the information is currently secure. The PO consulted with Regional Counsel (RC) regarding this case as it was referred from OIG to US Attorney's office. 03/04/13: VACO OGC contacted RC who contacted OIG. The OIG Attorney indicated that he wanted a brief summary of the newly discovered documents, but is not interested in investigating the breach at this time. His main interest was the putative fraud by the vendor, and he believes it is unlikely that the new documents relate to the fraud. Consequently the RC Attorney is unaware of a law enforcement reason to delay notification. 03/08/13: The final count including the information in the second box which was retrieved on 03/01/13: (1) the total number of affected individuals = 493 (2) the total number whose PII, including full SSN OR name and date of birth was potentially compromised = 104 (3) the total number of individuals whose PHI was potentially compromised (these are those who have PHI but who do not fall into the PII (#2) group.) = 389 The 104 individuals will receive a letter offering credit protection services. The 389 individuals will receive a HIPAA letter of notification.
Outcome:
All paper associated with this privacy incident was recovered. The VA is no longer doing business with this particular vendor and the case was investigated by OIG.