Northwest Network (VISN 20)

Report ID: SPE000000067761, U.S. Department of Veterans Affairs

Reported Entity: VISN 20 Seattle, WA

Issue:

A proximity card and a log book containing personally identifiable information (PII) and protected health information (PHI) were stolen from a VA Puget Sound Health Care System (VAPSHCS) doctor's vehicle while he was off VA property. There was approximately 50 patients' PII/PHI involved. Update: 10/18/11:The doctor did not have authorization to take to take documents with patients names off campus. The Information Security Officer (ISO) and Privacy Officer (PO) are investigating to see exactly what PII/PHI was involved and if the patients can be identified.10/25/11:The list of names on the log book is not known, but a list of potential names based on the residents schedule has been created. The patients' names, SSNs, and medical information were in the logbook. The residents are required to keep track of procedures, and have the authority to do so, but this included clinical information. The 59 patients whose names could have potentially been in the log book will be sent letters offering credit protection services.

Outcome:

VAPSHCS Privacy Office and Information Security Office have addressed the incident through the appropriate reporting mechanism. The VA Police are actively investigating. The Service Line Leadership is discussing implementation of procedural changes and training designed to reinforce privacy concerns associated with physician logs. The Chief of Staff directed the Assistant Chief of Staff (ACOS) for Education to immediately reinforce to all house staff that the recording of PII or PHI in case logs is strictly prohibited. This will also be communicated to all the Residency Program Directors at the academic affiliate. The investigation is ongoing.