Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA Health Care Upstate New York (VISN 2)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on October 2, 2012. Also cited in 132 other reports.
Report ID: SPE000000080741, U.S. Department of Veterans Affairs
Reported Entity: VISN 02 Syracuse, NY
Issue:
Privacy Officer notified by VA Police that Veteran sensitive information was found in a trash bin after being placed there by housekeeping when cleaning out vacated offices on the 7th floor after a move. Upon further review it was determined that printed copies of Patient medical records were found by Housekeeping left on the floor in vacated, unlocked offices in the Medicine and Surgical Services on the 7th floor after a move the previous Friday. Housekeeping had inadvertently placed the printed copies in the trash bin, with the rest of the items left behind in the offices, to clear them in preparation for construction at the end of the week, not realizing the copies contained sensitive information. During the transport of the trash bin to the basement, a Biomed employee saw there were patient records in the bin and notified the housekeeping staff and the ISO that the information could not be disposed of in the trash as it was sensitive. Subsequently, the VA Police was contacted who also reviewed the situation and contacted the Privacy Officer for further review. The ISO and Privacy Officer removed all sensitive documents from the trash bin and placed in a secure office. The incident was reported to the Associate Director and a preliminary discussion was held regarding corrective action. The ISO and PO recommended that prior to any moves by housekeeping, all sensitive information be properly boxed, taped and labeled by the responsible staff and the supervisor of the area confirm the information has been properly secured. In addition, the supervisor will be required to conduct a final walk through of the area to ensure no sensitive information was left behind, immediately after the move. Update: 10/09/12: After further review by the Privacy Officer, details regarding the number of patients and type of sensitive information left unsecured is as follows: Patient Full Name/DOB/Full SSN: 37 patients, out of those 37 patients, 6 are deceased. 31 of these Patients will receive letters offering credit protection services, 6 Next-of-Kin notifications will be sent. Patient Full Name/DOB: 3 patients. These three patients will be sent letters offering credit protection services. Last Name/Last 4 SSN: 6 patients, out of those 6 patients, 1 is deceased. This information, while PII, is not enough to require notification or credit protection services. Full name only with medical info: 1 patient. This patient will receive a HIPAA notification letter. Summary: 34 letters offering credit protection services 1 HIPAA notfication letter 6 Next-of-Kin notifications
Outcome:
Administrative Officers educated on the requirement to properly box, label, and secure records in preparation for an office move. In addition, a Standard Operating Procedure was developed for this and provided to the Space Committee, who will provide this to all managers and supervisors prior to scheduled moves.