Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
VA Southwest Health Care Network (VISN 18)
Mentioned in a privacy incident report created by the U.S. Department of Veterans Affairs on April 13, 2011. Also cited in 228 other reports.
Report ID: SPE000000060895, U.S. Department of Veterans Affairs
Reported Entity: VISN 18 El Paso, TX
Issue:
The Service Automated Data Package Application Coordinator (ADPAC) reported findings several computer access form requests for work study individuals placed on the Service network drive. Those documents contained those work study individuals' SSN and DOB. The data could it been exposed to other service employees who don't have a need to know that information and that type of data should it been saved to a different more restricted location Update: 04/13/11:The files were removed from the server. The Information Security Officer is checking whether audit logs are available to see if the files were inappropriately accessed.04/19/11:There was and is not any auditing turned-on for the access to files or folders on shared network drives. There were 11 files with name, SSN and date of birth on the drive. it is unknow how long they were on the drive. The 11 individuals will receive a letter offering credit protection services.
Outcome:
Update: Per fact-finding and review of sequence of events leading to discovery of this folder, Chief, Supervisor of Business Office, and ADPAC for this service determined that 11 employee names were listed in folder which could be accessed by other personnel in the service without a "need to know" and that while files contained minimal data (full name, date of birth and full social security number) on these employees - there was no other data available - as this was a common form utilized for requesting computer access by the responsible Supervisor for the Business Office - with fill-in boxes on the template. Chief for this Service, along with ADPAC - agreed that security and confidentiality of these folders was very problematic. Corrective Action taken included: 1. provision of the 11 affected files to facility Privacy officer on 6/3/2011 per ADPAC; 2. Review and removal of this information from this shared access drive; 3. Development and distribution/education of policies and procedures for use and appropriate access of shared drives, shared folders, and re-use/template forms requiring fill-in boxes of full name, SS#, and DOB. Additionally, Privacy Officer to provide letters of notification/offer of credit monitoring to 11 affected employees/Veterans as per receipt of NSOC enrollment information. J Winstead, Privacy officer EPVAHCS Note: Only 8 actual files with names and numbers were identified; the other 3 were forms with incomplete/mismatched bits/pieces of incorrect information that did not match any patient within our system and did not match any employee names within our system. appears that template was used to create sample forms also that were not anyone's PII - just filler in ID boxes on the template forms. So only 8 notification letters were needed/used - NOTE to NSOC---3 of the provided notification promotion codes were not utilized or needed. J Winstead, Privacy Officer EPVAHCS