News Feature | January 23, 2015

Veterans' PHI Compromised - Again

Katie Wike

By Katie Wike, contributing writer

Retail Breaches

According to a report from the VA, breaches affected more than 8,700 veterans in November; a 123% increase from October.

More than 600 Veterans Affair patients had their personal health information (PHI) exposed in October, but that was nothing compared to the 1,430 whose PHI was compromised in November. In all, a total of 8,733 veterans were affected by November data breaches.

One-hundred-and-two of the data breached were what the VA is calling “mis-mailed incidents,” and another 110 were related to lost PIV cards. Lost and stolen devices accounted for 39 of the incidents and 81 were from “mis-handled incidents.”

According to Health IT Security, the increase in incidents is likely related to a third-party vendor security flaw which potentially exposed individuals’ information online, such as names, addresses, dates of birth, phone numbers, and VA patient identification numbers.

“If someone knew a specific URL, they could have potentially accessed a document which contained personally identifiable information (PII) of several thousand VA patients,” states the VA report. “The URL was very specific and it would have had to have been typed into the web browser to be accessed, but there is a possibility it could have been. The vulnerability was open for several years.”

Health IT Security reports that 7,463 veterans were sent letters offering credit monitoring services and the VA became aware of this through an anonymous email. “The vendor stated the anonymous email with data (name, SSN, date of birth) on five home telehealth patients was believed to have been sent by a vendor employee that was terminated during their investigation. That employee did have authorized access to the information. The information was emailed to VA leadership. The OIG has reviewed the incident and declined investigation due to the lack of evidence substantiating any wrongdoing or access by the public.”

The accused employee denied sending the email and there is no way for the VA Network and Security Operations Center (NSOC) to know who accessed the information, but this website vulnerability has now been fixed.