United States Department of Veterans Affairs Data Breach (2012)

A VA Hudson Valley Employee sent VA Sensitive Information unencrypted from a VA Outlook account to a personal email account. The Hudson Valley Information Security Officer (ISO) and Privacy Officer (PO) are conducting fact finding and will update this ticket when more information is known. 04/19/12: The employee was a part time employee who had administrative duties working on a research project. The research project was ending and she has left VA for a different job. She had sent 67 emails to her home email account, four of which had attachments with some patient data. Approximately 105 individuals had personally identifiable information (PII) on these documents, and approximately 2200 individuals who had full name and last four digits of the SSN included. The OIG is investigating this. There is no reason to believe there was malicious intent at this time. The employee was in good standing and it is believed she was catching up on her work prior to leaving VA employment. The Information Security Officer (ISO) and Privacy officer (PO) will be following up with the OIG to check the status of the investigation. 04/24/12: Further investigation reveals there were 5 attachments and the new number is 2,638 total patients. The OIG is investigating. After further review of the individual's inbox, it was discovered that the system blocked several of the messages that contained SSNs in the attachments. Staff are comparing the blocked messages with the original sent messages to see exactly what was successfully sent to the individual's home e-mail account. 04/27/12: OIG conducted interviews with research employees associated with this incident. The research employees fully cooperated with the OIG. The employee's personal computer was retained by VAOIG and is being sent to D.C. to have an analysis of the hard drive conducted to determine if any PII information was forwarded. Incident is still pending confirmation by Facility ISO that information was not released. 05/17/12: The ISO has recieved information that the e-mails were blocked by the system from being sent to the employees. Only one SSN is believed to have gotten through the filter and that individual will be sent a letter offering credit protection services. The OIG has reviewed the PC and found no PII. The facility is waiting for the PC to be returned from OIG.