Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA NY/NJ Veterans Healthcare Network (VISN 3)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on April 16, 2012. Also cited in 59 other reports.
Report ID: SPE000000074196, U.S. Department of Veterans Affairs
Reported Entity: VISN 03 Montrose, NY
Issue:
A VA Hudson Valley Employee sent VA Sensitive Information unencrypted from a VA Outlook account to a personal email account. The Hudson Valley Information Security Officer (ISO) and Privacy Officer (PO) are conducting fact finding and will update this ticket when more information is known. Update: 04/19/12: The employee was a part time employee who had administrative duties working on a research project. The research project was ending and she has left VA for a different job. She had sent 67 emails to her home email account, four of which had attachments with some patient data. Approximately 105 individuals had personally identifiable information (PII) on these documents, and approximately 2200 individuals who had full name and last four digits of the SSN included. The OIG is investigating this. There is no reason to believe there was malicious intent at this time. The employee was in good standing and it is believed she was catching up on her work prior to leaving VA employment. The Information Security Officer (ISO) and Privacy officer (PO) will be following up with the OIG to check the status of the investigation. 04/24/12: Further investigation reveals there were 5 attachments and the new number is 2,638 total patients. The OIG is investigating. After further review of the individual's inbox, it was discovered that the system blocked several of the messages that contained SSNs in the attachments. Staff are comparing the blocked messages with the original sent messages to see exactly what was successfully sent to the individual's home e-mail account. 04/27/12: OIG conducted interviews with research employees associated with this incident. The research employees fully cooperated with the OIG. The employee's personal computer was retained by VAOIG and is being sent to D.C. to have an analysis of the hard drive conducted to determine if any PII information was forwarded. Incident is still pending confirmation by Facility ISO that information was not released. 05/17/12: The ISO has recieved information that the e-mails were blocked by the system from being sent to the employees. Only one SSN is believed to have gotten through the filter and that individual will be sent a letter offering credit protection services. The OIG has reviewed the PC and found no PII. The facility is waiting for the PC to be returned from OIG.
Outcome:
The employee has been terminated from the Department of Veteran Affairs. The Laptop had been reviewed for any saved proprietary or sensitive information by the IG Investigator with negative findings. The employee was interviewed by the Hudson Valley Police Service as well as the IG Investigator. The former employee was educated on the violation and the consequences and penalties which can result from any compromise of sensitive Veteran information. A follow-up report recommended that access to VA Systems should be removed upon termination of employment.