ShareThis Page

Pittsburgh VA ranks in top 10 for privacy complaints

| Saturday, Oct. 12, 2013, 9:04 p.m.

On Jan. 4, 2010, a woman showed up to work at the VA Pittsburgh Healthcare System.

She had not submitted a resumé to the Department of Veterans Affairs or received a notice of hiring from the human resources department. She didn't have an official ID tag or a password to enter the nationwide computer system.

“Hired” by a friend employed at the VA Pittsburgh, she spent six weeks registering patients, issuing wristbands, scheduling appointments — and handling the sensitive medical and financial records of up to 6,207 military veterans. Her friend and other employees for whom she filled in gave her their passwords.

The scheme fell apart about a month later when the unnamed woman asked HR “why she had not received a paycheck,” according to a VA security report the Tribune-Review obtained.

The incident triggered the VA's second-largest breach of protected data nationwide in three years, potentially compromising data for about one in 10 patients.

According to the VA memo, the woman had worked as “a healthcare professional at a local hospital.”

The VA offered free credit monitoring to veterans whose records she read. Employees embroiled in her hiring faced “appropriate disciplinary action,” but there was no indication anyone would be fired.

Though the VA by law must disclose privacy breaches affecting more than 500 patients to the Department of Health and Human Services, officials there told the Trib that the VA failed to alert them.

A spokesman for Terry Gerigk Wolf, who has led the VA Pittsburgh Healthcare System since 2007, and her boss, Michael Moreland, director of Veterans Integrated Service Network 4, referred the Trib's written questions about their handling of this and other privacy complaints to the VA's national headquarters in Washington.

A VA spokeswoman there said Pittsburgh administrators decided not to tell Health and Human Services because they determined there was low risk of misuse of the data.

The fake employee was one of 267 Pittsburgh VA privacy failures from Jan. 1, 2010, to May 31, 2013. Medical or financial records for at least 7,069 vets and seven workers were lost, stolen or disclosed to outsiders, according to reports to the national office.

The Pittsburgh VA was in the top 10 nationwide for the number of complaints and second for the total number of potential victims since 2010.

Privacy problems appear to continue. An April 18 report claims an unidentified whistle-blower compiled seven binders of data on 14 patients — four of them deceased — to try to “prove lab equipment is faulty.”

That violates federal health privacy rules, but the Trib wanted to know if patients should worry about unsafe medical lab equipment. VA officials declined to comment.

New safety fears follow ongoing congressional probes dogging the Pittsburgh VA over one of the largest backlogs of benefits claims nationwide and an outbreak of Legionnaire's disease between 2011 and 2012 linked to at least five deaths.

“The problems you see are caused by a VA that threatens no consequences for wrongdoers, provides no oversight and fails to properly monitor employees for privacy violations,” said Darin Selnick, a former high-ranking VA official who advises Concerned Veterans for America, a Washington-based advocacy group.

“There's a problem with the culture at VA. It's degraded over the years, management is too lax, and real power isn't even held by the central office in Washington but by unaccountable hospital fiefdoms like you see in Pittsburgh. And no one can stop them,” said Selnick, a retired Air Force officer.

“Want to solve the problem? Start visibly firing them for these sorts of privacy violations. That sends a signal to the entire VA workforce about standards.”

Carl Prine is a Trib Total Media staff writer. Reach him at 412-320-7826 or

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.