It has been discovered the protected health information of hundreds of elderly patients of Lebanon VA Medical Center in Pennsylvania has been impermissibly disclosed to a family member of a veteran.
The data breach, which took place in November 2018, involved a member of staff at Lebanon VA Medical Center emailed a document to a family member of a veteran who was seeking nursing home facilities. The list should have included nursing home facilities that work with the Department of Veteran Affairs; however, a historical list of residents of nursing homes was sent by mistake.
The list included veterans’ identities, abbreviated Social Security numbers, the nursing home where the veteran had been staying, diagnoses, and service-connection disability rating percentages.
Lebanon VA privacy officer Tonya Hromco said: “Lebanon VA Medical Center and our employees take our responsibility to protect patient information very seriously. Along with assistance from national offices, we immediately investigated this inadvertent, unauthorized release of information which occurred in late November.”
The breach was an isolated mistake and measures have now been taken to reduce the potential for future errors. New controls have been implemented in the section where the error took place and throughout its facility. Files including historic information have now been encrypted and restrictions have been added to the number of individuals with access to those files. Technical controls have also been put in place that prevent members of the department from broadcasting email attachments externally.
A press release sent by Lebanon VA Medical Center states that the PHI of 993 people was impermissibly shared. The breach report on the HHS’ Office for Civil Rights’ breach portal says that the breach could have affected up to 1,002 people.
People impacted by the privacy breach and family members of deceased patients have recently been sent breach notification letters.