South Texas Veterans Health Care System

Report ID: PSETS0000108680, U.S. Department of Veterans Affairs

Reported Entity: SOUTH TEXAS VETERANS - 671

Issue:

When attempting to have Capitalsolutiondesign assist with technical issues on enrolling mental health patients in the appropriate service, screen shots were taken of the problem and sent to the Contractor. The VA staff member did not realize in the background of one of the screen shots, there was a CPRS record open that showed a Veteran's partial name and full SSN. There were two screen shots sent and they contained: First screenshot contained a patient name (patient #1) and mental health score information. (PHI) Second screenshot contained a full SSN and a partial name from a CPRS window in the background (patient #1), it also contained a second patient full name and mental health score information (PHI) (patient #2) Immediately upon realizing the error, the Contractor notified the VA staff member and VHA Information Security Officers (ISO) at Philidelphia (location Contract iniitated). Everyone at the company deleted the message. The ISO was immediately notified by the VA staff member of the incident, there were two Veterans affected. This is a VHA wide Contract with a National BAA in place. Note: patient #1- name was on both screen shots (partial and full name),full SSN and mental health scores. Patient 2-full name and mental health scores. In all there were 2 patient names, one full SSN, partial SSN and PHI breached.

Outcome:

09/04/14: The Incident Resolution Service Team has determined that there was a policy violation. While there was an unauthorized access/disclosure of data, it has been determined that the incident has a low probability of a risk of compromise.

Related Reports:

1 other violation reported on the same date. Note that other citations may be about the same event: PSETS0000108669