Email Breach Exposes PHI from Virginia VA Medical Center
Who: Lebanon VA Medical Center
# of Accounts Breached: Almost 1000
What was affected: The list contained veterans’ names, abbreviated Social Security numbers, the nursing home where the veteran had been admitted, diagnoses, and service-connection disability rating percentages.
When it happened: November 2018
How it happened: In November 2018, a member of staff at Lebanon VA Medical Center emailed a document to a family member of a veteran who was searching for nursing home facilities. The list should have contained nursing home facilities that work with the Department of Veteran Affairs; however, a historical record of residents of nursing homes was sent in error.
Outcome: The incident was an isolated error and steps have now been taken to reduce the potential for further mistakes. Additional controls have been implemented in the section where the error occurred and throughout its facility. Files containing historic information have now been encrypted, and restrictions have been placed on the number of individuals with access to those files. Technical controls have also been implemented that prevent members of the department from sending email attachments externally.