The Department of Veterans Affairs (VA) has issued a report to congress showing a 35% decrease in VA data breaches in January 2015 compared to December 2014. The reduction in breaches was also accompanied by a 52% decrease in the number of breach victims.
In the last month of 2014, 58% of breach victims had their Protected Health Information compromised insecurity incidents. While fewer veterans were affected by data breaches in January, 78% of the victims that were created had their PHI compromised. There were 242 breaches of PHI reported in January out of 310 data breaches, and 643 victims in December 2014, of which 371 had PHI compromised.
There was a fall in the number VA data breaches in January 2015 due to stolen or lost devices, with 12% fewer incidents reported in January. Mis-mailing accidents saw a 22% reduction, while mishandling accidents fell by 21%. The number of incidents of lost PIV cards increased 6%; however this only represented an additional 7 more cases than the 120 reported in December.
In the report to congress, five examples of VA data breaches in January 2015 are provided. They correspond to the different types of data breaches that occurred during the month, with a brief summary of the actions taken listed along with further investigations that are required.
The most common VA data breaches in January 2015 were due to data mishandling accidents, which accounted for 118 breaches. An example of which was provided in which two patients had their mailings confused as they shared the same surname. Many of these incidents were of a similar nature and involved simple administration errors. The VA report indicated there were 92 incidents where two patients information was confused.
Mis-mailed Consolidated Mail Outpatient Pharmacy (CMOP) privacy breaches were low considering there were only 7 out of 10,232,524 prescriptions issue and data exposure due to device loss was prevented in many cases. A Cheyenne VAMC Community Based Out Patient Clinic (CBOC) laptop loss was mentioned as the laptop had not been recovered although no PHI is believed to have been exposed. Six desktop computer thefts were stolen along with a ME Biodrive flash drive from a HIPAA-covered entity in Wilkes-Barre, Pennsylvania; although since the data was encrypted there was no HIPAA violation or data exposure.
The report confirmed that when PHI was compromised in a data breach the affected veterans were provided with credit monitoring services to mitigate any risks of financial loss.