Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Rocky Mountain Network (VISN 19)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on April 6, 2011. Also cited in 133 other reports.
Report ID: SPE000000060537, U.S. Department of Veterans Affairs
Reported Entity: VISN 19 Sheridan, WY
Issue:
During the Environment of Care weekly rounds, the Information Security Officer (ISO) discovered a pile of papers on a conference room table in an unlocked and open conference room. The documents included 3 patients' consult requests, one print out of an advance directive, and a printout of one patient's progress notes. There was also a listing of patients on an inpatient ward that included 8 names with last 4 digits of the SSN and the age of each patient. Update: 04/06/11: Four (4) patients will be sent letters offering credit protection services and eight (8) patients will be sent a notification letter. 04/14/11: An appeal was filed. The DBCT reviewed the appeal and had additional questions which were sent to the Privacy Officer (PO). The PO responded that the following was left unattended: 1 inpatient roster with 9 full names and last four of the SSN; 1 advance directive document that contained full name, SSN and DOB; 3 Veteran consult requests - full name, full SSN and DOB; 1 printout of progress notes with only the name of the Veteran. These document were found unattended in a conference room where the door was left open. The PO has no way of knowing for certain , but after a thorough investigation the PO believes that the documents were left there for a very short period of time and that it is highly unlikely the information was compromised. 04/19/11: The PO is appealing only the notification letters because they were left unattended for 3 hours or less in an area that has a low volume of foot traffic which consists primarily of staff. The DBCT reviewed and denied the appeal based on the fact that they were left unattended and could have been viewed by other. Credit protection and notification is still required.
Outcome:
Resolution: The staff that uses the printer was re-educated in removing documents from printers immediately after printer. The facility leadership determined that the printer would be removed from the conference room, which is unattended, and moved to a secure location in the nurses\xe2\x80\x99 station in the same building.