The Department of Veterans Affairs (VA) Office Inspector General (OIG) discovered in a July 31 report that a VA healthcare facility in Long Beach, California, failed to adhere to VA and Veterans Health Administration (VHA) privacy and security policies in the midst of a patient electronic health record (EHR) complication.
Prior to the security complications at the Tibor Rubin VA Medical Center, the VA upgraded its operating systems in 2013 from Windows XP to Windows 7, which OIG said led the VA IT network to no longer support software interface between some the facility’s medical devices and the VHA EHR.
Facility officials implemented two workarounds, which included the use of a gastroenterology (GI) provider’s personal computer and email, a non-VA unencrypted flash drive, and the cloud. However, OIG said that these practices “were not in accordance with VA security and privacy policies concerning sensitive personal information.”
OIG further found that 133 patients who had sensitive personal information were mentioned in the GI provider’s personal emails and texts. The medical center director told OIG that the facility did not consider the incident a breach, so the effected patients were not notified of possible disclosure.
“OIG staff concluded that, although there was no evidence that unauthorized persons accessed patient sensitive personal information, the GI provider and facility staff increased the risk and possibility that sensitive personal information for the 133 patients could have been disclosed or accessed by unauthorized persons,” OIG stated.