Mismailing Causes VA Information Breach

4,000 Vets' Social Security Numbers Exposed Howard Anderson (ismg_editor) • October 14, 2010

Nearly 4,000 military veterans have been notified of an information breach stemming from a Department of Veterans Affairs mismailing incident.

More than 6,000 benefit summary letters were mailed to incorrect addresses in Massachusetts in late August. Of those, 3,913 included the wrong veteran's Social Security number. As a result of the breach, which could potentially lead to identity theft, the VA is offering those vets free credit monitoring services.

The cause of the mismailing was a mail merge error, says Roger Baker, assistant secretary for information and technology. A VA vendor, Performance Analysis & Integrity, merged veterans' data with an old address database, which caused the letters to be mailed to the incorrect addresses, according to the VA's September report to Congress on information breaches.

Benefit summary letters are not covered by the HITECH Act's breach notification rule, so the incident will not be reported to the Department Health and Human Services' Office for Civil Rights, a VA spokesman says.

Privacy Violation

In a monthly media teleconference Thursday, Baker also discussed an unusual privacy violation affecting one veteran who was slated to be deployed to Afghanistan.

The veteran who was reporting for deployment was informed by a Department of Defense physician that he was ineligible for duty due primarily to the content of a progress note recorded earlier in the veteran's treatment at a VA facility. That physician should not have had access to the progress note, Baker says, because the veteran had not signed a release of information form for certain counseling details.

Certain information is routinely shared between the VA and DoD electronic health records systems, Baker notes. "But this is a reminder to our clinicians to make certain that certain sensitive information is not entered into progress notes that might be viewable outside the VA."

Computer Security Update

In other privacy and security matters, Baker confirmed that the VA, as a result of deploying $50 million in technology, now is able to identify all laptops, desktop PCs and other devices linked to its network to determine whether they're using encryption and have appropriate security patches, applications and operating systems. The VA is now gathering information on the status of all devices.

Baker's plan to mail a letter to all VA contractors to remind them to certify they are meeting VA security guidelines, announced in September, has been delayed because of difficulties assembling the mailing list, he says. Meanwhile, an audit of vendor contracts on a facility-by-facility basis is continuing.