Episodes of Non-Adherence to Privacy and Security Policies at the Tibor Rubin VA Medical Center, Long Beach, California

The VA Office of Inspector General (OIG) conducted an inspection in response to episodes of non-adherence to Veterans Health Administration (VHA) and VA policies on patient information privacy and security at the Tibor Rubin VA Medical Center, Long Beach, California. After a VA computer update, a facility diagnostic device no longer interfaced with VHA patients’ electronic health records. A facility provider developed and implemented two workarounds to continue using the device. The workarounds were not in accordance with VHA and VA privacy and security policies and included using personal emails, a laptop, a non-encrypted flash drive, and electronic storage that were not approved by the VA. The OIG determined that the facility security and privacy staff mitigated the use of the workarounds and deleted the emails and information from the personal devices. However, issues with staff text messages were not addressed and, according to VA policy, the unencrypted personal emails and text messages did not meet the VA matrix criteria for a breach. The OIG concluded that patient sensitive personal information was at risk for disclosure to outside sources. Although the VA handbook that addressed matrix guidance for sensitive personal information incidents and events was revised on March 29, 2019, it did not address issues identified in this report. The OIG determined that 133 patients had sensitive personal information stored in unencrypted emails or text messages. In addition, facility staff used prohibited logbooks to track patient information and testing equipment. The OIG made one recommendation to the VA Assistant Secretary for Information and Technology and five recommendations to the Facility Director related to communication and education, disclosure of protected patient information, VA policy review, and compliance with the use of logbooks.