Email-Related Breach at Lebanon VA Medical Center Exposed the PHI of 1,000 Patients

Lebanon VA Medical Center based in Pennsylvania found out that the protected health information (PHI) of hundreds of seniors has been impermissibly disclosed to a veteran’s family member.

The privacy breach occurred when a member of Lebanon VA Medical Center’s staff sent the wrong document to a veteran’s family member in November 2018. A veteran was looking for nursing home establishments and wanted a list of nursing home facilities connected with the Department of Veteran Affairs. However, the list contained a list of past residents of nursing homes.

The disclosed information included the names of veterans, diagnostic information, service-connection disability rating percentages, abbreviated Social Security numbers and the nursing home of the veteran.

According to Lebanon VA privacy officer, Tonya Hromco, Lebanon VA Medical Center and all employees take very seriously the obligation to safeguard patient information. Upon discovery of the privacy breach, they immediately investigated the incident with the help of national offices.

The inadvertent, unauthorized disclosure of data last November was an isolated mistake. The medical center has already taken steps to minimize the likelihood of future errors. Additional safety measures were employed in the department where the error happened and in other facilities. Files that contain historic data are now encrypted and only certain individuals have access to those files. Technical safety measures were likewise implemented to prevent the sending of email attachments outside the department.

Lebanon VA Medical Center issued a press release stating the PHI of 993 persons had been impermissibly disclosed. The breach report to the HHS’ Office for Civil Rights’ indicates the breach could have affected up to 1,002 persons. The people affected by the breach have been sent breach notification letters.