TrueDLP

It seems just like yesterday, when the Veterans Affairs Department (VA) was sending out notices to millions of patients informing them that their personal data might have been compromised. The year was 2006, and my dad called me in a panic immediately after receiving a notice that his information had been stolen. It was the largest data leak of social security numbers (26.5 million) ever, and the incident that led the public to question the security of their sensitive information.

Fast forward to March, 2010–the Veterans Affairs Department’s inspector general has launched a criminal investigation into a physician assistant’s alleged downloading of veterans’ clinical data at its Atlanta medical center. According to an article published in Nextgov News, “the assistant allegedly recorded two sets of patient data on to a personal laptop for research purposes. One set included three years’ worth of patient data and another held 18 years of medical information.” One of the most disturbing parts of this article is that the department is questioning whether or not they plan on notifying the veterans who records were downloaded during this latest breach.

So what happened? Where did the VA’s commitment to protect their patients’ privacy go wrong? Did they not educate their employees about what is acceptable to download and what is not? Do they even know where their unauthorized clinical data is within their organization? What are they planning to do to protect the veterans over the next 4 years?