Governance & Risk Management , Privacy

Personal Info Exposed on Web Calendar

VA Residents Hadn't Changed Password in Three Years
Personal Info Exposed on Web Calendar
Orthopedics residents at the Department of Veterans Affairs' Chicago Healthcare System used a web calendar application for three years, exposing personally identifiable information of 878 patients, a violation of VA policy.

According to the VA's Monthly Report to Congress on Data Incidents for November, four orthopedics residents at the Chicago healthcare system maintained a calendar of patients' data on that included full names, dates and types of surgery and the last four digits of patients' Social Security numbers.

On Nov. 23, the healthcare system's information security officer, chief of surgery and chief orthopedics resident met, where the chief resident logged onto the calendar to show it to the ISO. The next day, the VA blocked access to the site. On Nov. 29, the VA deleted the calendar after each entry was printed to be used in the investigation.

The residents never changed the password during the three years the calendar was in use.

The VA said the 878 patients were being notified.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.