Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Phoenix VA Health Care System
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on April 10, 2015. Also cited in 102 other reports.
Report ID: PSETS0000117926, U.S. Department of Veterans Affairs
Reported Entity: PHOENIX AZ - 644
Issue:
One patient was consented to a research study on 11/24/14. A routine audit by the Research Compliance Officer (RCO)) on 04/03/15 showed several documents not scanned to CPRS, including pages 2-3 of the HIPAA authorization. The investigator who maintained these records is a Fellow who was in a rotation outside of Phoenix VAHCS at time of initial discovery. A follow-up search of the original paper records when the Fellow returned to the VA station 04/10/15 was unable to locate original paper pages 2-3 (of 3) of the HIPAA authorization. A subsequent search by Research Pharmacist showed the Pharmacy copy also consisted of only page 1 of the HIPAA authorization, identical to CPRS copy. Preliminary investigation suggests loss of pages was therefore at the time of consent. Apparent loss of these two pages was reported to Research Privacy Officer (PO) on 04/10/15. The protected health information (PHI) on pages 2-3 of the local form is full name, last 4 digits of the SSN, DOB, and participation in a research study. The study is an unfunded local Fellow project, and the topic of investigation is not identified on the missing pages. The only non-template language on the missing pages is the name and VA mail code of the Principal Investigator (PI). The Research PO advised reporting of the event to the Institutional Review Board (IRB). Research information pertaining to this subject is being left in custody of the investigator pending IRB and PI determination whether to obtain a new, valid HIPAA authorization from the patient to permit research use of the information, or to recover this individual's information for lack of a valid authorization.
Outcome:
04/13/15: The Incident Resolution Service Team has determined that the Veteran will be sent a letter offering credit protection services, as the document with his name, DoB, and other information has been lost.