Another VA headache: Privacy violations rising at veterans’ medical facilities

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By Charles Ornstein and Annie Waldman
 

Connecting state and local government leaders

By Charles Ornstein and Annie Waldman

|

Deceased vets’ data has been sent to the wrong widows. Employees have snooped on the records of patients who’ve committed suicide. And whistleblowers say their own medical privacy has been violated. In response, the VA says patient privacy is a priority.

This story originally appeared on ProPublica and was co-published with NPR's Shots blog.

When Anthony McCann opened a thick manila envelope from the Department of Veterans Affairs last year, he expected to find his own medical records inside.

Instead, he found over 250 pages of deeply revealing personal information on another veteran’s mental health.

“It had everything about him, and I could have done anything with it,” McCann said in an interview.

It wasn’t the first time McCann had received another veteran’s medical records. In the past, he informed the VA, then threw away the misdirected documents. This time, after failing to make contact with the other veteran on his own, McCann took the documents to a town hall meeting held by the director of the VA’s Tennessee Valley Healthcare System.

When the floor opened for questions, McCann was the first to raise his hand.

“I got 256 pages of another person’s extremely confidential, extremely explicit mental health records,” he said, waving the documents in his hands, an exchange captured by local media. When an official asked for the documents back, McCann refused, doubting the VA’s ability to safeguard the material or make sure it ended up in the right hands. “I don’t trust them,” McCann told ProPublica. “They don’t do what they say they’re going to do.”

Employees and contractors at VA medical centers, clinics, pharmacies and benefit centers commit thousands of privacy violations each year and have racked up more than 10,000 such incidents since 2011, a ProPublica analysis of VA data shows.

The breaches range from inadvertent mistakes, such as sending documents or prescriptions to the wrong people, to employees’ intentional snooping and theft of data. Not all concern medical treatment; some involve data on benefits and compensation.

Many VA facilities and regional networks are chronic offenders, logging dozens of violations year after year.

The VA’s Sunshine Healthcare Network, which includes Florida, Puerto Rico and southern Georgia, has had more privacy incidents than any other region, with at least 370 over the past five years, according to ProPublica’s analysis. The C.W. Bill Young VA Medical Center in Bay Pines, Fla.,, had more privacy reports than any other facility, with 112 incidents. (ProPublica’s new tool, HIPAA Helper, allows you to read reports on these incidents and search by facility.)

In an interview Dec. 29, a VA official said the department considers patient privacy a top priority and that it fares well in comparison to health providers and insurers in the private sector, some of which have been targets of cyberattacks this year. The VA runs the largest integrated health care system in the nation, with 150 hospitals and hundreds of clinics that collectively serve around 9 million patients annually.

“We take any loss of data very seriously,” said John Oswalt, the VA’s associate deputy assistant secretary for privacy and records management. “Over a third of our employees are veterans. … We have a vested interest in protecting the data personally, too.”

The VA also released a written statement that said, in part, “Inappropriate access of patient health records, either during or post treatment, is absolutely unacceptable and in violation of privacy laws and regulations, VA policies and procedures, and our principles.”

Responsibility to act on privacy violations falls both to the VA itself and to the Office for Civil Rights within the Department of Health and Human Services. That’s the agency charged with enforcing the Health Insurance Portability and Accountability Act, the federal patient privacy law known as HIPAA. The civil rights office has cited the VA more frequently than any other health provider in the nation, yet it has not sanctioned the VA or publicly identified it as the top HIPAA violator.

VA facilities were the subject of more than 300 privacy complaints to the Office for Civil Rights from 2011 to 2014. In 220 cases, the VA submitted a corrective-action plan or received “technical assistance” on how to comply with the law. (See our previous story.)

Two senators told ProPublica they found the volume of privacy breaches involving the VA to be deeply troubling.

“It’s just one more area in which the VA fails to operate in a way that’s worthy of our veterans,” said Kansas Republican Sen. Jerry Moran, a frequent critic of the VA who serves on the Senate Committee on Veterans’ Affairs. “There’s 127 community hospitals in Kansas. I have visited each and every one of them. When I visit a hospital, you can sense that they are very cautious about what I see and what I hear when it involves a patient. … That same kind of attitude ought to exist at the VA.”

VA privacy complaints increasing

Under the Freedom of Information Act, ProPublica requested data on privacy incidents involving employees and contractors working with the U.S. Department of Veterans Affairs. Totals by month:

VA privacy complaints increasing

 

The VA provides monthly reports to Congress on data breaches and posts them on its website, but these reports don’t contain all of the incidents provided to ProPublica under the Freedom of Information Act.

Moran said he would support requiring the VA to report all privacy incidents to Congress.

A 2013 investigation by the Pittsburgh Tribune-Review found that privacy violations were rampant within the VA, affecting tens of thousands of veterans. ProPublica asked for the data provided to the newspaper, as well as all privacy violations since then. The number of reported incidents has increased, the data shows.

In fact, from 2011 to 2014, the number of reports per year nearly doubled, from 1,547 to 3,054.

The VA’s Oswalt said the increase is less a result of a growing problem and more an indication that the VA has been successful in encouraging employees to report potential breaches.

“I think we have a pretty good track record of getting people to report when they make a mistake or when they observe something happening,” he said. “If we were out there punishing people for human error, I think you would see the number of reported incidents go down, but that doesn’t serve the needs of the veteran.”

Under HIPAA, medical providers are responsible for keeping patients’ medical information confidential. Releasing a patient’s treatment information without consent is illegal. VA employees who have access to medical records are only supposed to access the minimum necessary in order to perform their jobs.

The majority of the VA privacy incidents appear to be inadvertent ones -- for example, medical records left in waiting rooms or faxed to the wrong recipient. But even unintended errors can cause grief, particularly in the case of mistaken identities.

There were several cases of widows who received letters extending sympathy for the death of unrelated veterans and outlining survivor compensation and burial benefits for those veterans.

The privacy incident reports also reveal more systemic issues across the VA: Employees repeatedly accessed the medical records of patients not under their care, from coworkers to suicidal vets to whistleblowers.

For example, in September 2011, after a veteran committed suicide on the grounds of a VA facility in Biloxi, Miss., more than 40 employees accessed his medical records. In response, the VA provided training and a reminder about privacy laws and sent the veteran’s family a letter informing them of the violation.

Two years later, a VA employee who worked at the same facility in Biloxi committed suicide and, again, several co-workers inappropriately snooped in the medical records.

In January 2015, a veteran who works at C.W. Bill Young VA Medical Center attempted suicide. Afterward, many co-workers who had no direct involvement in his medical care seemed to know about his attempt and asked how he was doing. Following an investigation, the VA’s incident response team found that an employee had indeed inappropriately accessed the veteran’s medical records “out of curiosity.”

The problems were noted both within the VA’s internal data and in letters sent by the Office for Civil Rights to the VA when it closed its complaint investigations. (Patients can complain to the VA, the Office for Civil Rights or both.)

Some VA employees have used their access to medical records as a weapon in disputes or for personal gain, incident reports show.

A patient treated at the West Virginia VA Medical Center had his medical records impermissibly accessed by co-workers of his wife. His records were then used against him during divorce proceedings, according to a May 2013 letter from the Office for Civil Rights.

A VA employee at C.W. Bill Young VA Medical Center suspected that his ex-girlfriend, a nurse at the facility, accessed his Social Security number from his confidential medical files in order to change his AT&T account information. He requested a list of everyone who looked at his file, which revealed that his ex-girlfriend had accessed it 55 times. According to the Office for Civil Rights investigation letter from November 2012, the ex-girlfriend was suspended for 10 days, given training and the incident was documented in her employment record.

As the VA’s overall problems have mounted in the past couple years -- including long waits for care -- some whistleblowers contend that HIPAA has been used as a sword against them. Some have reported being accused of violating HIPAA for collecting material to inform members of Congress about care problems at the VA. Others say their own medical records were looked at by co-workers and officials without their consent.

“This is a problem that is widespread throughout the VA,” said Brandon Coleman, a VA whistleblower who testified before the Senate that his private medical records were inappropriately accessed by a co-worker. “I realized right away that she had no right to be in there. She had never treated me and had nothing to do with my medical care.”

Coleman, an addiction therapist for the Phoenix VA Health Care System who is on administrative leave, said a social worker mentioned during a meeting in October 2014 that she had accidentally accessed his medical file a few months earlier. Coleman said he was horrified and filed a complaint with the privacy officer at the Phoenix VA.

Shortly after he came forward in December 2014 to the Office of Special Counsel, a federal office that handles whistleblower allegations for the VA, Coleman was placed on administrative leave, for allegedly threatening other employees. While on leave, he discovered that yet another administrative officer at the VA, who was also not involved with his medical care, accessed his health files after he filed his complaint with the Office of Special Counsel.

“They come up with ways to try to discredit you or say you are unfit for duty,” said Coleman, who is still on leave nearly a year later. “There is zero accountability.”

Another VA whistleblower, Dr. Katherine Mitchell, was inappropriately investigated for a privacy violation after she came forward with allegations of patient harm.

Mitchell, a physician who has worked at the VA for over 16 years, contacted the office of Sen. John McCain, R-Arizona, in 2013, alleging that the Carl. T. Hayden VA Medical Center in Phoenix didn’t provide adequate care for its suicidal veterans and that the hospital statistically manipulated its patient wait list.

Mitchell submitted a formal report through the senator’s office, hoping that a congressional push would secure a review by the VA’s inspector general. However, shortly after she submitted her request, she was placed on administrative leave and investigated for alleged privacy violations: Her superiors told her that she had violated privacy laws by accessing the records of the suicidal veterans she alleged had not received adequate care.

“It’s not a violation to provide that information to your congressman to request an investigation into inappropriate behavior,” said Mitchell, who believes that many whistleblowers are investigated for merely trying to bring attention to flaws in the system.

The VA’s internal records indicate that its incident response team found that Mitchell accessed at least 15 patients’ charts without “proper authorization.” But a recent VA accountability review found that Mitchell’s actions were indeed protected because she was acting as a whistleblower, and her placement on leave was deemed to be retaliatory.

“The management uses HIPAA rules inappropriately to prevent whistleblowers from speaking up,” said Mitchell, who received the Office of Special Counsel’s Public Servant award the year after her allegations. “If they don’t report the cases, no one will investigate.”

The experiences of Coleman and Mitchell were reflected in recent testimony from Carolyn Lerner, who heads the Office of Special Counsel. Lerner expressed concern that VA employees are accessing whistleblower medical records to discredit their claims. She emphasized that the VA should consider “system-wide corrective action” to better protect whistleblowers.

“Quite simply, it is too easy right now for a mischief-minded employee to enter the medical record system and access information on his or her coworkers,” Lerner wrote in her written testimony. “A better ‘lock’ on the system would potentially eliminate, and certainly reduce, this problem.”

Sen. Richard Blumenthal of Connecticut, the ranking Democrat on the Senate Committee on Veterans’ Affairs, said he too is concerned about this.

“Nothing is more devastating and unconscionable than the misuse of power to subjugate legitimate complaints,” he said in an interview. Blumenthal has proposed a bill, called the VA Patient Protection Act, which, among other things, would punish VA supervisors or employees who retaliate against whistleblowers.

“The VA still has a significant way to go in restoring trust and credibility,” he added, “and part of that task is to take sufficient disciplinary action against wrongdoers so as to deter them and reassure all veterans that it has a very strict standard of accountability.”

In its statement, the VA told ProPublica that it will not tolerate any retaliation “against those who raise issues which may enable VA to better serve Veterans.”

“Complaints that VA receives from whistleblowers about inappropriate access to their health records are thoroughly investigated and appropriate actions are taken where warranted,” said the VA.

NEXT STORY: Legacy voting machines ripe for tampering, breakdowns

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.