In its monthly report to Congress, the Veteran Affairs Department listed a Yahoo calendar containing patient data among a number of data security lapses it dealt with.
The Veteran Affairs Department ordered doctors to
immediately stop using a Yahoo Calendar Application to store confidential data.
Notifications of a possible security breach have been sent to nearly 900
affected patients, according to VA's monthly
report to Congress
on Dec. 22.
The report called the breach as a "mishandling of
electronic information," because doctors were storing patients' medical
information, such as full names, dates and types of surgery and the last four
digits of Social Security numbers, for 878 patients.
Information security authorities at the Chicago Health
Care System first discovered on Nov. 23 that four residents in the facility's orthopedic
department had been using Yahoo Calendar to maintain a calendar of patient
medical data since July 2007. The data was protected by a single password that had
never been changed in the past three years, the report said. Since a rotating
series of residents over the past few years had access to that account it was
unclear exactly how many people knew that password.
According to the report, the account was blocked a day
later, all information deleted on Nov. 29 and affected veterans were notified on Dec. 2.
VA policy states that no patient information can be stored
on systems outside its firewalls.
Roger Baker, VA's assistant secretary for information and
technology, said on a media call that the incident was an example of the need
for better and more secure IT tools for VA employees, including cloud-based
"I love the tools. I just wish I could better control
what's stored on them," he said.
This is not the first example of VA hospital physicians
and employees using unauthorized applications to store patient data, said
Baker. An earlier incident involved eight hospitals using Google Docs to store
patient information before being shut down, he said.
All VA doctors have access to a secure network to store
patient information and a Microsoft Excel application to schedule appointment
and surgeries, according to Baker.
In the Chicago incident, Baker said it was possible that
the orthopedics residents developed the Yahoo account in order to access VA patient
information while working at non-VA hospitals.
Baker said the incidents illustrate the inevitable demand
for access to cloud computing. He noted that he needed to figure out how to
provide remote access for medical staff on VA systems so that they don't start
using Yahoo or Google applications.
"VA is spending a lot of time trying to figure out how to
go from saying no to saying yes for these kinds of apps," Baker said.
There were other data security breaches in November
listed in the report, such as nearly 150 incidents where patient information
was "mishandled" and "mismailed." This
included incidents where information for one veteran was provided to
another. The VA also reported that a
number of computers, digital cameras and laptops were missing. It also
disclosed an incident where data for 57 veterans were shared with an
unauthorized agency. The VA also reported that 19 BlackBerry mobile phones were
There is a glimmer of good news in the report. The
department has been taking steps to improve security and privacy, such as
encrypting data on laptops and desktops. Of the seven missing laptop incidents,
six were already encrypted and the one that wasn't encrypted did not contain
any sensitive or private data because it was used primarily to access the
online Computerized Patient Record application. No patient data was stored
locally on the lost laptop, according to the report.