Investigation Finds Thousands of HIPAA Privacy Breaches at VA

Image from Shutterstock


From 2010 through May 31, Department of Veterans Affairs employees or contractors committed more than 14,000 HIPAA privacy breaches, according to a Pittsburgh Tribune-Review investigation.

The two-month investigation found that VA employees or contractors were responsible for 14,215 breaches, such as:

  • Stealing veterans' identities or prescriptions (Prine, Pittsburgh Tribune-Review, 10/12); and
  • Posting Facebook statuses that included photos of veterans' body parts (McCann, Healthcare IT News, 10/14).

The breaches affected:

  • 101,018 veterans; and
  • 551 VA employees

According to the Tribune-Review, VA led the country in adopting electronic health records, and that has given employees easy access to health and financial records.

According to the investigation, VA:

  • Lacks accountability, with only one in 365 privacy violations being reported to VA's Office of Inspector General;
  • Has poor safeguards in place; and
  • Fails to encrypt computer data.


In a statement, VA spokesperson Genevieve Billia said VA "places the highest priority upon safeguarding the personal information" of veterans and uses technology to protect records. She added that VA takes privacy breaches "very seriously and has established strict guidelines that go beyond what is required by law."

Deven McGraw, director of the Center for Democracy and Technology's Health Privacy Project, said, "It's hard to argue against the notion that VA holds the dubious distinction of being the largest violator of the nation's health privacy laws," adding, "Protecting the privacy of every American is important, but you would think that we would be very careful when it came to our veterans. They sure earned it" (Pittsburgh Tribune-Review, 10/12).

to share your thoughts on this article.