VA Security Incidents for May RevealedEven the Smallest Cases Listed
Roger Baker, assistant secretary for information and technology, offered a litany of security incidents that occurred last month in all VA units, including healthcare, at a June 16 news media teleconference. The VA, which provides healthcare to about 6 million veterans a year, tracks dozens of incidents every month, he acknowledged.
Baker, who plans to offer monthly security updates, held his first briefing with the media May 27 in the wake of a Congressional hearing that called the VA to task for security lapses.
Role of EncryptionFive of the laptops stolen in May were encrypted, so the VA is not revealing the information they contained, Baker said. The other laptop, which was not encrypted, did not contain any patient information.
Under the HITECH Act's Breach Notification Rule, incidents involving information encrypted in a specific way do not need to be reported to federal regulators because the information is presumed to be secure.
Otherwise, the rule requires that breaches affecting more than 500 individuals must be reported within 60 days to the media and the HHS Office for Civil Rights. Earlier, the VA reported a May 4 incident involving the loss or theft of a binder with information on 4,083 patients.
The incident occurred at an outpatient laboratory at VA North Texas Health Care System. Because the binder included personal information, including Social Security numbers, the VA offered the vets free ID theft protection for a year.
The incident was the fifth major breach the VA reported to OCR since last September, when the rule became effective.
List of IncidentsAlso in May, Baker says the VA had the following security-related incidents at its various healthcare and other facilities, none of which affected more than 500 veterans:
- 13 lost encrypted Blackberries;
- 80 incidents of internal e-mails, containing information on veterans, which were not encrypted as required under VA policy;
- 74 "information mishandling" incidents. For example, a list of 101 emergency department patients was removed from an office by an unauthorized individual, but the list did not include identifiers;
- 123 incidents of mismailings, such as two letters sent in one envelope by mistake;
- Four incidents involving IT inventory issues, such as the lack of a record of whether an item was in the location where it should be or was appropriated disposed of.
Two InvestigationsBaker also revealed some details on two incidents. In one, police are investigating a break-in at a North Chicago facility where records on 10 employees were taken. The staff members were offered free credit monitoring.
And United Parcel Service notified the VA that one of its employees was found to have prescriptions from six VA patients in Tennessee.