VA remains one of top privacy offenders

U.S. Department of Veterans AffairsU.S. Department of Veterans Affairs

More than 101,000 veterans affected

The U.S. Department of Veterans Affairs continues to be one of the biggest offenders of HIPAA privacy and security rules and has reported egregious breaches in recent years, affecting millions of veterans and active service members. 

From 2010 through May 2013, VA department employees or contractors were responsible for 14,215 privacy breaches affecting more than 101,000 veterans across 167 VA facilities, including incidences of identity theft, stealing veteran prescriptions, Facebook posts concerning veterans' body parts, and failing to encrypt data, a Pittsburgh Tribune-Review investigation revealed.

Recent VA privacy and security violations prompted a June 2013 hearing on Capitol Hill regarding the topic of protecting veterans' private information. "VA places the highest priority in safeguarding Veterans’ and employees’ personal information," Stephen W. Warren, acting assistant secretary at the Office of Information and Technology at VA, told lawmakers at the hearing. 

[See also: Ready or not: HIPAA gets tougher today.]

However, some say the agency doesn't appear to have the privacy track record to support those comments. 

Back in 2006, VA reported that an unencrypted laptop, containing the personal data and Social Security numbers of some 26.5 million veterans and active duty members, was stolen -- an incident which Warren called a "wakeup call" for the agency. Following an investigation, the laptop was eventually recovered almost two months later, but the event resulted in a $20 million class action lawsuit against the VA. 

In January 2012, VA announced that the agency had posted personal information and Social Security numbers of some 2,200 veterans to Ancestry.com, following the mistaken release of data through the Freedom of Information Act. 

Also in 2012, VA reported that a Miami, Fla. agency employee was arrested for selling the identities of 22 veterans from the medical center. The man, sentenced to 26 months in prison, also admitted to selling 3,000 veterans' identities over the past five years, according to the VA Office of Inspector General.

[See also: Slideshow: 10 biggest HIPAA data breaches in the U.S.]

In the past few years, the agency has reported some 17 HIPAA privacy and security violations to the Department of Health and Human Services. 

At the June 4 hearing, Linda Halliday, assistant inspector general for audits and evaluations, Office of Inspector General at VA, told lawmakers that VA continues to be a target of "malicious intent" and has experienced severe security incidents. Database vulnerabilities, Halliday explained, have resulted in exposing the protected health information of millions of veterans and active service members.

"Many of these weaknesses are due to inconsistent enforcement of an agency-wide information security program across the enterprise and ineffective communication between VA management and the individual field offices," Halliday told lawmakers. 

After issuing a series of audits, Halliday and the OIG found deficiencies in the areas of ineffective management of systems interconnections and sensitive data exchanges; delayed contractor background investigations; poor password standards; lack of monitoring and inadequate data controls. 

Amidst the scrutiny, department officials have promised to work to reduce the number of privacy and security breaches. "The Department has worked hard to regain the trust of Veterans," said Warren, citing the addition of a new team dedicated to data breaches, an encryption campaign and an information security program to address policy and architecture deficiencies. 

Of the some 80,000 HIPAA breach cases the HHS Office for Civil Rights has received since 2003, only 16 of those have resulted in fines, Leon Rodriguez, OCR director, pointed out in an interview with Healthcare IT News. Despite the records of violations, VA hospitals have not been required to pay any of those fines.