Privacy breaches in VA health records wound veterans
By Carl Prine | The Pittsburgh Tribune-Review | Published: October 13, 2013
Karen Santoro heard co-workers chattering about her psychological care in 2010.
An Air Force veteran and surgical services scheduler at the Veterans Affairs Pittsburgh hospital in Oakland, Santoro asked officials with the VA and the Department of Health and Human Services to investigate the source of the gossip. It seemed to violate the federal Health Insurance Portability and Accountability Act, or HIPAA, that prohibits release of medical information.
Advised by her physician, Santoro begged her bosses to transfer her or let her work from home until investigators finished their work. They refused. She resigned in mid-2011, disgusted with VA's disregard of privacy laws. She is convinced that officials were retaliating against her and concerned by “inaction” by Health and Human Services, which enforces HIPAA at all health care facilities.
“It's unconscionable that the very people who defend the rights of the American people don't have those rights at VA,” said Santoro, 46, of Pittsburgh's South Side. “... We must fight back and change the system because we deserve a better one.”
A two-month Tribune-Review investigation found VA workers or contractors committed 14,215 privacy violations at 167 facilities from 2010 through May 31, victimizing at least 101,018 veterans and 551 VA employees. Photos of the anatomy of some were posted on social media; stolen IDs of others were used to make fraudulent credit cards.
“It's hard to argue against the notion that VA holds the dubious distinction of being the largest violator of the nation's health privacy laws,” said Deven McGraw, director of the Washington-based Health Privacy Project of the nonprofit Center for Democracy and Technology. “Protecting the privacy of every American is important, but you would think that we would be very careful when it came to our veterans. They sure earned it.”
In a written statement, agency spokeswoman Genevieve Billia said the VA “places the highest priority upon safeguarding the personal information” of veterans and uses technology to protect records. The VA takes privacy breaches “very seriously and has established strict guidelines that go beyond what is required by law,” she said.
The VA led the nation in digitizing medical records, and that gives employees access to health and financial records with a few keystrokes. The Trib's analysis of reports filed with the VA's Risk Management and Incident Response Resolution Team found a pattern of illegal snooping through patient files, or lost sensitive data such as Social Security numbers.
Eleven times since 2010, criminal investigators found VA employees in Massachusetts, Ohio, Virginia, Florida and Washington stealing veterans' identities or prescriptions. The outcome of those cases is unknown because VA privacy officers decided the outcomes should be private.
In 2012, a medical clerk in Miami was sentenced to two years in prison for selling undercover agents data belonging to 22 veterans. The employee confessed to stealing the identities of 3,000 vets over five years before a credit card fraud scheme fell apart.
A VA patient service assistant in Muskogee, Okla., snapped a photo of an ailing veteran's exposed buttocks in 2011 and then, for reasons unknown, posted the picture on Facebook. Hers is not an isolated incident: At least 15 times over the past three years, VA workers put images of sick vets or revealed patients' health information on social media for pals to see.
The Trib's records analysis found:
- Lack of accountability. One in 365 privacy violations was turned over to the agency's Office of Inspector General, VA police or outside law enforcement. VA privacy officers recommended that 31 people lose their jobs for unlawful disclosures — nearly half of them contractors, volunteers, medical students or part-time staffers. Officials cannot estimate how many employees were terminated for privacy violations but conceded that it's rare.
- Shoddy safeguards. In 82 cases, providers illegally released medical information or failed to secure patient consent during studies, violating the privacy of 2,856 vets.
- Failure to encrypt data. The VA mandated data scrambling on computers as a result of the 2006 theft in Maryland of a laptop containing 26.5 million veterans' records. Since 2010, however, at least 16,183 vets were put at risk because VA employees failed to encrypt electronic gadgets that got lost or stolen.
“There's quite a difference between unknowingly exposing veterans' personally identifiable information through network security vulnerabilities and purposefully violating the privacy of veterans,” Rep. Jeff Miller, R-Fla., who chairs the House Committee of Veterans' Affairs, told the Trib.
“In this case, I don't know what's worse: that hundreds of VA employees and managers willfully and blatantly violated veterans' privacy, or the fact that VA officials have refused to issue any sort of serious punishment in all but a fraction of these incidents.”
Most VA privacy violations are preventable, experts said.
Had employees simply checked fax numbers before dialing, for example, they might have avoided sending records of 1,118 veterans to the wrong place. The data of 863 other veterans and two employees were compromised because staffers lost paperwork in restrooms.
In 1,207 cases affecting at least 5,254 vets, the VA gave medication and paperwork to the wrong patients or strangers. In about one out of five of those incidents — mostly involving mailing mistakes — the VA disclosed all or part of Social Security numbers, birth dates or medical diagnoses, according to the reports.
“If a health care network is sloppy with your protected data, then they'll be sloppy when caring for patients,” said Joan Kiel, a professor of Health Management Systems at Duquesne University who is an expert on privacy rules.
Kiel's prescription to cure the VA: Arm privacy officers with training and credentials to investigate violations and educate co-workers. Give supervisors authority to fire violators.
VA officials declined to say if even one employee is credentialed. In reports, privacy officers cite doubts about their ability to do their jobs. In a 2011 case involving the Central Alabama Veterans Health Care System, for example, an unnamed officer conceded to having “no prior privacy background, privacy training, or experience conducting investigations.”
As for empowering supervisors, 20 times over the past three years agency managers tasked with enforcing privacy standards were caught snooping inappropriately through records — five cases in Albuquerque, N.M., alone. The VA fired no supervisor for these breaches, according to the reports.
Kiel and other experts said firing or punishing employees who run afoul of privacy rules is the norm at most health networks because hospitals want to avoid patient lawsuits and tough enforcement efforts by the Department of Health and Human Services' Office of Civil Rights.
‘A big hammer'
The civil rights office in 2011 hit Maryland-based Cignet Health Services with $4.35 million in fines for failing to provide 41 patients copies of health records they requested, and then stonewalling investigators.
A UCLA School of Medicine researcher who improperly accessed health records of his boss, co-workers and celebrity patients was sentenced to four years in prison, and the school settled with the civil rights office for $865,000. Other employees suspected of trespasses were blacklisted from employment.
New Health and Human Services rules threaten medical providers, insurance companies and contractors with a maximum fine of $1.5 million for each violation, up from $25,000 per offense for repeat lawbreakers.
“That's a big hammer,” said attorney William H. Maruca, a partner at Fox Rothschild L.P., Downtown, and HIPAA expert. “... That doesn't shrug this off as ‘just another government mandate.' ”
Health and Human Services officials acknowledged, however, that policy lets them investigate VA violations but not penalize the agency, even for repeat offenses.
“No case related to the VA has resulted in a monetary settlement,” said agency spokeswoman Rachel Seeger. The civil rights office “is looking concertedly at systemic issues throughout the VA system with respect to HIPAA compliance.”
Santoro wants Congress to sharpen the civil rights office's teeth to bite harder into the VA's privacy problem.
“It's funny how celebrities in Hollywood have more privacy protections than military veterans who go to VA,” said Santoro. “Look at how OCR went after UCLA, and then see what they do for American military veterans who suffer even worse treatment by VA. It's a disgrace.”
In a statement, VA officials said the agency is retraining employees to “achieve a culture change in which all VA employees understand the importance of protecting veteran information as part of their daily routine.”
Records underscore that statement. In 2010, VA facilities retrained employees 498 times for privacy violations, but took no action in 1,104 cases beyond extending victims credit-monitoring. In 2011, VA counseling and retraining more than doubled to 1,134, then rose to 1,387 sessions in 2012.
Yet privacy violations continue to climb. Security reports for the first five months of this year are peppered with expressed concern that retraining is not working.
In Jackson, Miss., 312 VA medical center employees accessed records of Army veteran Johnnie Lee, 55, when he died during surgery in 2011. The number equates to one in five workers there. Records show Jackson staffers were retrained on privacy issues a dozen times after that breach for committing similar violations. Three employees were disciplined.
On March 8, two employees in Louisville were caught going through files of a surgical services official. One worker was “very familiar with privacy policies and regulations, as this is the 4th time in my office for privacy violations,” a frustrated manager reported.
On May 22, a privacy officer in El Paso reported receiving a call “from a very irate owner of a local towing company,” who received by fax 14 pages of medical records for six veterans, with Social Security numbers, home addresses, birth dates and diagnoses.
Such faxes “had been going on for a while,” but when he called before, someone at the VA advised him to “shred and throw away any other documents he had received,” according to the report.
“This is wrong,” he told the privacy officer.
VA officials, who declined to comment, decided to retrain all El Paso employees on faxing documents — their fourth such special session in three years.
Carl Prine is a Total Trib Media staff writer. Reach him at firstname.lastname@example.org or 412-320-7826.