Email error causes data exposure at Lebanon VA Medical Center

An email error caused the information about 1,000 veterans to be released by the Lebanon VA Medical Center in Pennsylvania.

In November, the organization experienced an unauthorized release of protected health information when information on 993 veterans was accidentally sent by email to a family member of a veteran.

The incident occurred because a historical listing of vets who were residents of nursing homes was sent to the family member who was exploring nursing home placement options.

The email included veterans’ names, abbreviated Social Security numbers, diagnoses, the names of the nursing homes where the veterans were admitted, and service-connection disability rating percentages.

Lebanon VA-CROP.jpg

Also See: Best practices for defending against insider email threats

“Lebanon VA Medical Center and our employees take our responsibility to protect patient information very seriously,” says Tonya Hromco, privacy officer at the facility. “We regret any release of unauthorized information, and notification to those impacted were made as required.” In the notification, affected veterans were given information on firms that provide credit monitoring services.

Family members of deceased veterans who were included on the list are being notified by letter.

Now, the VA center is encrypting its data, and the number of persons allowed to access files has been dramatically restricted, says Douglas Etter, chief communications officer at Lebanon VA. “We’ve always known that protected health information is very important. We made a mistake; it’s as simple as that.”

For reprint and licensing requests for this article, click here.