VA patient information inadvertently posted to the web
Technorati Tag: Security Breach
Date Reported:
10/31/08
Organization:
U.S. Department of Veterans Affairs
Contractor/Consultant/Branch:
Portland VA Medical Center (PVAMC)
Location:
Portland, Oregon
Victims:
Patients
Number Affected:
"about 1,600"
Types of Data:
Personal information including Social Security numbers
Breach Description:
"Personal information, including some Social Security numbers, of about 1,600 patients at the Veterans Affairs Medical Center in Portland was inadvertently posted on a public Web site, Portland VA officials said Saturday."
Reference URL:
The Oregonian
The Associated Press via The Oregonian
United Press International
Report Credit:
Michael Milstein, The Oregonian with a special thanks to Rob at www.InsideIDTheft.info.
Response:
From the online sources cited above:
Personal information, including some Social Security numbers, of about 1,600 patients at the Veterans Affairs Medical Center in Portland was inadvertently posted on a public Web site, Portland VA officials said Saturday.
[Evan] Breaches that affect people that risk their lives for my freedom really touch a nerve.
The breach also involved patient information from other VA hospitals around the country, but Portland VA spokesman Mike McAleer did not know how many patients were affected nationally.
The affected Portland patients had stayed in local lodging at the VA's expense while undergoing treatment at the Portland VA Medical Center
Most were from Oregon
The VA is offering affected patients free credit monitoring and fraud alert services, a step that Congress required in 2006 after previous data security lapses at the VA
[Evan] Credit monitoring and "fraud alert services" only notify a person after fraud has occurred. I suppose they limit the amount of damage, but damage is nevertheless done before they are useful. How long are credit monitoring and fraud alert services available from the VA? 12 months (the semi-standard)? What good is 12 months if the information has a useful lifetime that far exceeds that? Read this before?
The disclosure did not include Social Security numbers of all 1,600 patients
In some cases, only patient names or partial names were posted online.
No medical information was disclosed
[Evan] Thank God. Medical information disclosure is more damaging in the long-term, in my opinion.
The release occurred when the VA inadvertently included personal patient information in agency financial records transferred to the federal Web site USAspending.gov
[Evan] This comment is not really related to this breach. I just checked out http://www.usaspending.gov for the first time while writing this posting. Holy *&@^ does our government spend a friggin' lot of money! Just an example; the top three agencies listed in the "Top 5 Agencies Providing Assistance" for FY 2007 are #1: HHS - Health Care Financing Admin. (was Medicare and Medicaid Serv.) at $280,151,829,402, #2: HHS - Administration for Children and Families at $45,475,025,580, and #3: DOT - Federal Highway Administration at $45,421,741,777. Are you kidding me?! Your business might be suffering, but business in the government is booming with no layoffs looming!
The site allows the public to search for details of government contracts and spending
VA officials removed the information from the Internet as soon as they realized it was there, but McAleer did not know how long the information was publicly available.
The Portland VA began notifying affected patients about the lapse by letter a little more than a week ago.
"We sincerely apologize for any inconvenience or worry this may have caused you," said one letter from David Stockwell, acting director in Portland.
The letters from the VA explain to patients how to sign up for a credit monitoring service free for one year to detect any evidence of identity theft.
Commentary:
What is the #1 cause of breach like this, i.e. inadvertent/mistaken posting of private information to a publicly accessible resource? Is it poor information security training and awareness? Is it poor business process? Maybe just as simple as a human being human. I wish I had the answer, but I don't definitively have one. I do know, based on my experience, that training and constant awareness does reduce the number of incidents over time (initially there is a spike in reports). Training and awareness dollars are typically dollars well spent.
It seems like it has been a while since we have read about an information security breach at the VA. Have things gotten better?
Past Breaches:
U.S. Department of Veterans Affairs:
September, 2007 - VA Medical Center Exposes 700 Employees on Envelopes
November, 2007 - 185,000 victims of VA ex-employee fraud
May, 2006 - VA: Veterans Personal Data Swiped
Date Reported:10/31/08
Organization:
U.S. Department of Veterans Affairs
Contractor/Consultant/Branch:
Portland VA Medical Center (PVAMC)
Location:
Portland, Oregon
Victims:
Patients
Number Affected:
"about 1,600"
Types of Data:
Personal information including Social Security numbers
Breach Description:
"Personal information, including some Social Security numbers, of about 1,600 patients at the Veterans Affairs Medical Center in Portland was inadvertently posted on a public Web site, Portland VA officials said Saturday."
Reference URL:
The Oregonian
The Associated Press via The Oregonian
United Press International
Report Credit:
Michael Milstein, The Oregonian with a special thanks to Rob at www.InsideIDTheft.info.
Response:
From the online sources cited above:
Personal information, including some Social Security numbers, of about 1,600 patients at the Veterans Affairs Medical Center in Portland was inadvertently posted on a public Web site, Portland VA officials said Saturday.
[Evan] Breaches that affect people that risk their lives for my freedom really touch a nerve.
The breach also involved patient information from other VA hospitals around the country, but Portland VA spokesman Mike McAleer did not know how many patients were affected nationally.
The affected Portland patients had stayed in local lodging at the VA's expense while undergoing treatment at the Portland VA Medical Center
Most were from Oregon
The VA is offering affected patients free credit monitoring and fraud alert services, a step that Congress required in 2006 after previous data security lapses at the VA
[Evan] Credit monitoring and "fraud alert services" only notify a person after fraud has occurred. I suppose they limit the amount of damage, but damage is nevertheless done before they are useful. How long are credit monitoring and fraud alert services available from the VA? 12 months (the semi-standard)? What good is 12 months if the information has a useful lifetime that far exceeds that? Read this before?
The disclosure did not include Social Security numbers of all 1,600 patients
In some cases, only patient names or partial names were posted online.
No medical information was disclosed
[Evan] Thank God. Medical information disclosure is more damaging in the long-term, in my opinion.
The release occurred when the VA inadvertently included personal patient information in agency financial records transferred to the federal Web site USAspending.gov
[Evan] This comment is not really related to this breach. I just checked out http://www.usaspending.gov for the first time while writing this posting. Holy *&@^ does our government spend a friggin' lot of money! Just an example; the top three agencies listed in the "Top 5 Agencies Providing Assistance" for FY 2007 are #1: HHS - Health Care Financing Admin. (was Medicare and Medicaid Serv.) at $280,151,829,402, #2: HHS - Administration for Children and Families at $45,475,025,580, and #3: DOT - Federal Highway Administration at $45,421,741,777. Are you kidding me?! Your business might be suffering, but business in the government is booming with no layoffs looming!
The site allows the public to search for details of government contracts and spending
VA officials removed the information from the Internet as soon as they realized it was there, but McAleer did not know how long the information was publicly available.
The Portland VA began notifying affected patients about the lapse by letter a little more than a week ago.
"We sincerely apologize for any inconvenience or worry this may have caused you," said one letter from David Stockwell, acting director in Portland.
The letters from the VA explain to patients how to sign up for a credit monitoring service free for one year to detect any evidence of identity theft.
Commentary:
What is the #1 cause of breach like this, i.e. inadvertent/mistaken posting of private information to a publicly accessible resource? Is it poor information security training and awareness? Is it poor business process? Maybe just as simple as a human being human. I wish I had the answer, but I don't definitively have one. I do know, based on my experience, that training and constant awareness does reduce the number of incidents over time (initially there is a spike in reports). Training and awareness dollars are typically dollars well spent.
It seems like it has been a while since we have read about an information security breach at the VA. Have things gotten better?
Past Breaches:
U.S. Department of Veterans Affairs:
September, 2007 - VA Medical Center Exposes 700 Employees on Envelopes
November, 2007 - 185,000 victims of VA ex-employee fraud
May, 2006 - VA: Veterans Personal Data Swiped
Posts Atom 1.0
Comments