The Lebanon VA Medical Center just admitted to a massive HIPAA violation where the private health information belonging to 993 elderly veterans was unlawfully released.
The announcement of the unlawful release of private information occurred in November 2018. The information was allegedly released only to one family member of a veteran inadvertently by a VA official. A HIPAA violation generally occurs when private health information is shared with someone who is unauthorized to possess or access that information.
Private Information Released
The VA privacy officer at the facility, Tonya Hromco, provided specific details about the release and the extent of the information improperly shared about elderly veterans.
“A historical listing of Veterans who were residents of nursing homes was inadvertently e-mailed to the family member of a veteran who was exploring nursing home placement options and had requested a listing of nursing home facilities that work with VA. The erroneously e-mailed list included Veterans’ names, abbreviated social security numbers, diagnoses, the nursing home where the Veteran was admitted and service-connection disability rating percentages, if applicable.
“Lebanon VA Medical Center and our employees take our responsibility to protect patient information very seriously. Along with assistance from national offices, we immediately investigated this inadvertent, unauthorized release of information which occurred in late November,” said Tonya Hromco, Lebanon VA privacy officer. “We regret any release of unauthorized information and notifications to those impacted were made as required.”
VA has a long history of problems protecting private health information belonging to veterans. In one instance, a former VA employee was caught unlawfully accessing private health information to sell that data as part of a fraud scheme.
VA Regrets HIPAA Violation
VA spokesperson Doug Etter for Lebanon VA said the agency regrets the incident.
“It’s an isolated incident,” Etter said. “It’s an incident that we regret.”
“I think it’s important for people to know that the list did not include the date of birth of any of the veterans,” Etter said in an attempt to seemingly downplay the importance of releasing name, diagnosis, disability rating, and other related private health information.
“We want to be open, honest, transparent,” Etter said. “We have nothing to hide. We made a mistake, we’ve owned up to it and we’ve promised to correct that mistake and not let it happen again.”
VA is supposedly taking steps to make sure additional privacy breaches do not occur in the future.
“We’ve put certain measures in place that are systemic to prevent it, to prevent the human error,” Etter said. “So all of these files are no longer what we call rolling or historic files. They’re also encrypted and restricted. So only a very few number of people can have access to these files. Finally, members of the Department are not allowed to send attachments along with emails.”
Appropriate Protections Implemented
“Our principle concern is for the safety and well-being of our Veterans and protecting their information,” said Robert W. Callahan Jr., medical center director. “A review of the incident was initiated and appropriate measures both in the section where this occurred and throughout the facility have been implemented to prevent future occurrences.”
VA claims it notified all veterans or family members of those affected by the Privacy Act and HIPAA violation. Those affected who may not have received notification of the violation should call the privacy officer at 1-800-409-8771, ext. 4614 or ext. 5413.
Lebanon VA is located in Pennsylvania Dutch country. The facility has been in operation for over 70 years. It is regionally within the agency’s VISN 4, which includes other facilities located in Philadelphia, Coatesville, Wilkes-Barre, Altoona, Pittsburgh, Butler, and Erie in Pennsylvania, as well as Wilmington, Delaware.