Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Northwest Network (VISN 20)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on December 8, 2011. Also cited in 208 other reports.
Report ID: SPE000000069476, U.S. Department of Veterans Affairs
Reported Entity: VISN 20 Portland, OR
Issue:
A medical resident's backpack was stolen out of his vehicle on December 3, 2011. In the backpack was a small notebook in which the resident kept a list of the patients he had treated for follow-up purposes. The notebook's loss was initially reported to the resident's University on December 5, 2011. A report was also made to local police. Today the University's Information Security Officer notified this VA facility Privacy Officer that he had just learned some VA patients' information (full name, full SSN, DOB, and medical information) contained in the notebook were Veterans.The resident has identified that the book would have contained the names, medical record numbers (social security numbers for VA patients), date of birth, basic vitals, chief complaint, and the date of treatment. He indicated the notebook would have only contained Veteran information from six days of his October VA rotation.Our facility will run reports to determine which Veterans the resident has treated. Update: 12/12/11:The resident was recording Veterans he treated while on a rotation in a department related to his specialty. 49 Veterans have been identified as being recorded in the notebook. The resident has turned in a second notebook which he was keeping for the same purpose. Letters offering credit protection services will be offered to 49 Veterans.
Outcome:
The medical resident whose notebook was lost in his stolen bag provided the Privacy Officer with the two other small notebooks he had. He stated he had no other Veteran information in his possession. He has been instructed that residents are not permitted to keep patient information outside of VA for their program tracking purposes. He is also to retake training modules to ensure he is up to date. The Chief of Staff's office has sent an email to all VA residents and clinical trainees to state that it is not acceptable for them to remove Veterans information from the medical for their own use. They have been instructed that all information must be secured at the hospital or destroyed in accordance with our policies. They have also been reminded of the requirement to complete the mandatory annual information protection and privacy training. The facility is pursuing the drafting of a local policy outlining how information required by clinical training programs may be collected, stored, and disclosed to meet their needs in accordance with VA Information Security and Privacy policies.