Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA Mid-Atlantic Health Care Network (VISN 6)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on November 8, 2011. Also cited in 187 other reports.
Report ID: SPE000000068443, U.S. Department of Veterans Affairs
Reported Entity: VISN 06 Durham, NC
Issue:
It was reported on 11/07/11 by a Logistics employee that the vehicle of a KCI USA, Inc. representative was broken into on 09/08/11 and a mobile device containing VA sensitive information was stolen. Upon discovery of the theft, KCI USA, Inc. reported the incident to local law enforcement. They also sent a letter via normal mail to the Durham VAMC on 10/27/11. The mobile device was used to assist the representative in the delivery of KCI products. The identifiable information stored on the device included patient first and last name as well as the physical location in the hospital at the time of delivery of 46 patients. The device is password-protected and requires the use of proprietary cable and docking cradle in order to synchronize the device with any other devices. The cable and docking cradle were not stolen. This incident is the result of a purchase order for a GSA contract that has not been reviewed by the local Information Security Officer (ISO) and Privacy Officer (PO). The letter to the Durham VAMC from KCI USA, Inc. includes a print out of the data that was on the device. Durham VA Police have been notified and are investigating the theft. The ISO has attempted to contact the company representative who sent the letter explaining the incident but has not received a call back. The COTR is also trying to get more information about the incident. Update: 11/23/11:Forty-six (46) Patients will be sent notification letters, due to PHI being stored on the stolen device (name and hospital information).
Outcome:
Credit monitoring letters have been sent out to potentially affected individuals. This incident was the result of a purchase order that was not reviewed by the ISO or the Privacy Officer. Normal contracts are already reviewed by each sites ISO and PO. Since this event, procedures have been put in place so that all contracts, especially purchase orders for GSA contracts are also reviewed by the ISO and PO in order to avoid incidents like this in the future.