Email Error Results in PHI of Veterans Accidentally Sent to Unauthorised Individual

A data security incident at Lebanon VA Medical Center has resulted in the protected health information (PHI) up to a thousand patients being accidentally sent to an unauthorised individual via email.

The data breach took place at Veteran Affairs center in Pennsylvania in November 2018. A staff member at the facility accidentally sent an email to a family member of a veteran who was seeking information on the center’s nursing home facilities. A document was attached to the email, which the employee believed contained information on nursing home facilities that work with the Department of Veteran Affairs. However, it was quickly realised that the list contained information on previous nursing home residents.

The document included a range of sensitive information, included veterans’ identities, abbreviated Social Security numbers, the nursing home where the veteran had been staying, diagnoses, and service-connection disability rating percentages.

In response to the breach, Lebanon VA privacy officer Tonya Hromco said: “Lebanon VA Medical Center and our employees take our responsibility to protect patient information very seriously. Along with assistance from national offices, we immediately investigated this inadvertent, unauthorized release of information which occurred in late November.”

As the breach was an isolated mistake, action could be rapidly taken to mitigate the risks of a similar breach occurring again in the future.  New controls have been implemented in the section where the error took place and throughout its facility. Files including historic information have now been encrypted and restrictions have been added to the number of individuals with access to those files. Technical controls have also been put in place that prevent members of the department from broadcasting email attachments externally.

A press release sent by Lebanon VA Medical Center states that the PHI of 993 people was impermissibly shared. The breach report on the HHS’ Office for Civil Rights’ breach portal says that the breach could have affected up to 1,002 people.

In accordance with HIPAA’s Breach Notification Rule, individuals impacted by the privacy breach and family members of deceased patients have recently been sent breach notification letters. As the security incident was isolated and the individual to whom the data was sent readily identifiable, it is not expected that of the affected individuals are at risk of identity fraud.

Although cybersecurity incidents such as hacking are often the data breaches that attract the most attention, many reports compiled by data security researchers highlight the frequency accidental breaches such as this. These are relatively low-risk events in comparison to hacking and other IT security incidents, but nonetheless measures should be taken to ensure that incidents such as this are unlikely to occur.