Orlando VA medical center breach exposes thousands of vets' info

The Orlando VA Medical Center reported a data breach that revealed the personal information of thousands of veterans.

What happened 

A former employee of the Orlando VA healthcare system caused a breach of personal information by emailing documents containing sensitive details of veterans to their personal email account on their last day of employment. 

According to Health News Florida, the breach was discovered on January 16. It impacted veterans whose names, addresses, phone numbers, email accounts, dates of birth, and complete or partial Social Security numbers were possibly included in the documents. The breach was reported to the HHS on March 5, 2024, and classified as unauthorized access/disclosure. 

See also: A guide to HIPAA and access controls

By the numbers

The impacted individuals totaled at 10,059 including:

• 9,076 veterans were notified about the breach.
• 565 deceased veterans' next of kin were also informed.
• 209 veterans are being offered no-cost credit monitoring for a year.

See also: FAQs: All about HIPAA breaches

Why it matters

This incident is not the VA's first; a similar breach occurred in September 2020, affecting approximately 46,000 veterans. This breach happened when unauthorized users accessed one of the VA's Financial Services Center (FSC) online applications. The attackers exploited vulnerabilities in the system by using social engineering techniques and manipulating authentication protocols to redirect payments intended for community health care providers for veterans' medical treatment. The breaches, notably the one in 2024, bring to attention gaps in VA data protections, particularly in managing insider threats and data handling and access policies. 

What happens next

The VA has already initiated contact with the affected veterans, along with the next of kin, to inform them about the breach and its implications. Additionally, veterans whose sensitive information, such as social security numbers, was exposed are being offered one year of free credit monitoring services to prevent any potential identity theft. 

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

Does HIPAA apply to VA healthcare organizations?

Yes, HIPAA applies within VA healthcare organization.

What can affected veterans do to protect their information?

Affected veterans are urged to monitor their financial accounts for any unusual activity and report any suspicious transactions immediately. They can also take advantage of the no-cost credit monitoring services offered by the VA.

Who can veterans contact for more information about the breach?

Veterans who have concerns or questions about the breach can contact the VA through a toll-free number: 1-833-486-3075, available Monday through Friday, from 8 a.m. to 4:30 p.m.