The Tribune Review reports on data breaches with medical records at the Department of Veterans Affairs and how these security problems, include insiders abusing their access privileges affect individuals’ health privacy. (Read a previous post to learn more about the insider misuse and abuse problem.) The Tribune Review reports:
A two-month Tribune-Review investigation found VA workers or contractors committed 14,215 privacy violations at 167 facilities from 2010 through May 31, victimizing at least 101,018 veterans and 551 VA employees. Photos of the anatomy of some were posted on social media; stolen IDs of others were used to make fraudulent credit cards.
“It’s hard to argue against the notion that VA holds the dubious distinction of being the largest violator of the nation’s health privacy laws,” said Deven McGraw, director of the Washington-based Health Privacy Project of the nonprofit Center for Democracy and Technology. “Protecting the privacy of every American is important, but you would think that we would be very careful when it came to our veterans. They sure earned it.”
In a written statement, agency spokeswoman Genevieve Billia said the VA “places the highest priority upon safeguarding the personal information” of veterans and uses technology to protect records. […]
The VA led the nation in digitizing medical records, and that gives employees access to health and financial records with a few keystrokes. The Trib’s analysis of reports filed with the VA’s Risk Management and Incident Response Resolution Team found a pattern of illegal snooping through patient files, or lost sensitive data such as Social Security numbers.
Eleven times since 2010, criminal investigators found VA employees in Massachusetts, Ohio, Virginia, Florida and Washington stealing veterans’ identities or prescriptions. The outcome of those cases is unknown because VA privacy officers decided the outcomes should be private. […]
The Trib’s records analysis found:
• Lack of accountability. One in 365 privacy violations was turned over to the agency’s Office of Inspector General, VA police or outside law enforcement. VA privacy officers recommended that 31 people lose their jobs for unlawful disclosures — nearly half of them contractors, volunteers, medical students or part-time staffers. Officials cannot estimate how many employees were terminated for privacy violations but conceded that it’s rare.
• Shoddy safeguards. In 82 cases, providers illegally released medical information or failed to secure patient consent during studies, violating the privacy of 2,856 vets.
• Failure to encrypt data. The VA mandated data scrambling on computers as a result of the 2006 theft in Maryland of a laptop containing 26.5 million veterans’ records. Since 2010, however, at least 16,183 vets were put at risk because VA employees failed to encrypt electronic gadgets that got lost or stolen.