Pittsburgh VA ranks in top 10 for privacy complaints
On Jan. 4, 2010, a woman showed up to work at the VA Pittsburgh Healthcare System.
She had not submitted a resumé to the Department of Veterans Affairs or received a notice of hiring from the human resources department. She didn't have an official ID tag or a password to enter the nationwide computer system.
“Hired” by a friend employed at the VA Pittsburgh, she spent six weeks registering patients, issuing wristbands, scheduling appointments — and handling the sensitive medical and financial records of up to 6,207 military veterans. Her friend and other employees for whom she filled in gave her their passwords.
The scheme fell apart about a month later when the unnamed woman asked HR “why she had not received a paycheck,” according to a VA security report the Tribune-Review obtained.
The incident triggered the VA's second-largest breach of protected data nationwide in three years, potentially compromising data for about one in 10 patients.
According to the VA memo, the woman had worked as “a healthcare professional at a local hospital.”
The VA offered free credit monitoring to veterans whose records she read. Employees embroiled in her hiring faced “appropriate disciplinary action,” but there was no indication anyone would be fired.
Though the VA by law must disclose privacy breaches affecting more than 500 patients to the Department of Health and Human Services, officials there told the Trib that the VA failed to alert them.
A spokesman for Terry Gerigk Wolf, who has led the VA Pittsburgh Healthcare System since 2007, and her boss, Michael Moreland, director of Veterans Integrated Service Network 4, referred the Trib's written questions about their handling of this and other privacy complaints to the VA's national headquarters in Washington.
A VA spokeswoman there said Pittsburgh administrators decided not to tell Health and Human Services because they determined there was low risk of misuse of the data.
The fake employee was one of 267 Pittsburgh VA privacy failures from Jan. 1, 2010, to May 31, 2013. Medical or financial records for at least 7,069 vets and seven workers were lost, stolen or disclosed to outsiders, according to reports to the national office.
The Pittsburgh VA was in the top 10 nationwide for the number of complaints and second for the total number of potential victims since 2010.
Privacy problems appear to continue. An April 18 report claims an unidentified whistle-blower compiled seven binders of data on 14 patients — four of them deceased — to try to “prove lab equipment is faulty.”
That violates federal health privacy rules, but the Trib wanted to know if patients should worry about unsafe medical lab equipment. VA officials declined to comment.
New safety fears follow ongoing congressional probes dogging the Pittsburgh VA over one of the largest backlogs of benefits claims nationwide and an outbreak of Legionnaire's disease between 2011 and 2012 linked to at least five deaths.
“The problems you see are caused by a VA that threatens no consequences for wrongdoers, provides no oversight and fails to properly monitor employees for privacy violations,” said Darin Selnick, a former high-ranking VA official who advises Concerned Veterans for America, a Washington-based advocacy group.
“There's a problem with the culture at VA. It's degraded over the years, management is too lax, and real power isn't even held by the central office in Washington but by unaccountable hospital fiefdoms like you see in Pittsburgh. And no one can stop them,” said Selnick, a retired Air Force officer.
“Want to solve the problem? Start visibly firing them for these sorts of privacy violations. That sends a signal to the entire VA workforce about standards.”
Carl Prine is a Trib Total Media staff writer. Reach him at 412-320-7826 or firstname.lastname@example.org.