VA Doctors Used Unsecure Yahoo Calendar to Store Patient Data

In its monthly report to Congress, the Veteran Affairs Department listed a Yahoo calendar containing patient data among a number of data security lapses it dealt with.

The Veteran Affairs Department ordered doctors to immediately stop using a Yahoo Calendar Application to store confidential data. Notifications of a possible security breach have been sent to nearly 900 affected patients, according to VA's monthly report to Congress on Dec. 22.

The report called the breach as a "mishandling of electronic information," because doctors were storing patients' medical information, such as full names, dates and types of surgery and the last four digits of Social Security numbers, for 878 patients.

Information security authorities at the Chicago Health Care System first discovered on Nov. 23 that four residents in the facility's orthopedic department had been using Yahoo Calendar to maintain a calendar of patient medical data since July 2007. The data was protected by a single password that had never been changed in the past three years, the report said. Since a rotating series of residents over the past few years had access to that account it was unclear exactly how many people knew that password.

According to the report, the account was blocked a day later, all information deleted on Nov. 29 and affected veterans were notified on Dec. 2.

VA policy states that no patient information can be stored on systems outside its firewalls.

Roger Baker, VA's assistant secretary for information and technology, said on a media call that the incident was an example of the need for better and more secure IT tools for VA employees, including cloud-based tools.

"I love the tools. I just wish I could better control what's stored on them," he said.

This is not the first example of VA hospital physicians and employees using unauthorized applications to store patient data, said Baker. An earlier incident involved eight hospitals using Google Docs to store patient information before being shut down, he said.

All VA doctors have access to a secure network to store patient information and a Microsoft Excel application to schedule appointment and surgeries, according to Baker.

In the Chicago incident, Baker said it was possible that the orthopedics residents developed the Yahoo account in order to access VA patient information while working at non-VA hospitals.

Baker said the incidents illustrate the inevitable demand for access to cloud computing. He noted that he needed to figure out how to provide remote access for medical staff on VA systems so that they don't start using Yahoo or Google applications.

"VA is spending a lot of time trying to figure out how to go from saying no to saying yes for these kinds of apps," Baker said.

There were other data security breaches in November listed in the report, such as nearly 150 incidents where patient information was "mishandled" and "mismailed." This included incidents where information for one veteran was provided to another. The VA also reported that a number of computers, digital cameras and laptops were missing. It also disclosed an incident where data for 57 veterans were shared with an unauthorized agency. The VA also reported that 19 BlackBerry mobile phones were lost.

There is a glimmer of good news in the report. The department has been taking steps to improve security and privacy, such as encrypting data on laptops and desktops. Of the seven missing laptop incidents, six were already encrypted and the one that wasn't encrypted did not contain any sensitive or private data because it was used primarily to access the online Computerized Patient Record application. No patient data was stored locally on the lost laptop, according to the report.