VA remains one of top privacy offenders
October 14, 2013 in Medical Technology
The U.S. Department of Veterans Affairs continues to be one of the biggest offenders of HIPAA privacy and security rules and has reported egregious breaches in recent years, affecting millions of veterans and active service members.
From 2010 through May 2013, VA department employees or contractors were responsible for 14,215 privacy breaches affecting more than 101,000 veterans across 167 VA facilities, including incidences of identity theft, stealing veteran prescriptions, Facebook posts concerning veterans’ body parts, and failing to encrypt data, a Pittsburgh Tribune-Review investigation revealed.
Recent VA privacy and security violations prompted a June 2013 hearing on Capitol Hill regarding the topic of protecting veterans’ private information. “VA places the highest priority in safeguarding Veterans’ and employees’ personal information,” Stephen W. Warren, acting assistant secretary at the Office of Information and Technology at VA, told lawmakers at the hearing.
[See also: Ready or not: HIPAA gets tougher today.]
However, some say the agency doesn’t appear to have the privacy track record to support those comments.
Back in 2006, VA reported that an unencrypted laptop, containing the personal data and Social Security numbers of some 26.5 million veterans and active duty members, was stolen — an incident which Warren called a “wakeup call” for the agency. Following an investigation, the laptop was eventually recovered almost two months later, but the event resulted in a $20 million class action lawsuit against the VA.
In January 2012, VA announced that the agency had posted personal information and Social Security numbers of some 2,200 veterans to Ancestry.com, following the mistaken release of data through the Freedom of Information Act.
Also in 2012, VA reported that a Miami, Fla. agency employee was arrested for selling the identities of 22 veterans from the medical center. The man, sentenced to 26 months in prison, also admitted to selling 3,000 veterans’ identities over the past five years, according to the VA Office of Inspector General.
[See also: Slideshow: 10 biggest HIPAA data breaches in the U.S.]
In the past few years, the agency has reported some 17 HIPAA privacy and security violations to the Department of Health and Human Services.
At the June 4 hearing, Linda Halliday, assistant inspector general for audits and evaluations, Office of Inspector General at VA, told lawmakers that VA continues to be a target of “malicious intent” and has experienced severe security incidents. Database vulnerabilities, Halliday explained, have resulted in exposing the protected health information of millions of veterans and active service members.