Monthly Activity Report*



Similar documents
Monthly Activity Report*

Monthly Activity Report*

Monthly Activity Report*

Department of Veterans Affairs VA HANDBOOK MANAGEMENT OF BREACHES INVOLVING SENSITIVE PERSONAL INFORMATION

VA Data Breach Follow-Up. Adair Martinez, Deputy Assistant Secretary for Information Protection and Risk Management Department of Veterans Affairs

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

Overview of the HIPAA Security Rule

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

VA Office of Inspector General

HIPAA and Mental Health Privacy:

HIPAA Breach Notification Policy

My Docs Online HIPAA Compliance

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

Data Breach and Senior Living Communities May 29, 2015

Proofpoint HIPAA Breach Report:

HIPAA Compliance Annual Mandatory Education

7 VITAL FACTS ABOUT HEALTHCARE BREACHES.

Data Managers Interest Group. Research. April 17, 2012

HIPAA Security & Compliance

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

STANDARD ADMINISTRATIVE PROCEDURE

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs

The Impact of HIPAA and HITECH

HIPAA Security Education. Updated May 2016

Iowa Health Information Network (IHIN) Security Incident Response Plan

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

What do you need to know?

The Basics of HIPAA Privacy and Security and HITECH

Department of Veterans Affairs VHA HANDBOOK Washington, DC October 15, 2003

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

HIPAA and Health Information Privacy and Security

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

HIPAA Privacy & Security Rules

HIPAA and Privacy Policy Training

OCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING

VA Office of Inspector General

HIPAA Requirements and Mobile Apps

[Company Name] HIPAA Security Awareness and Workforce Training Program Manual

Surviving a HIPAA violation One Agency s Experience Presented by: Roger Shindell. Topics Covered Part One. Topics Covered Part Two.

OCR UPDATE Breach Notification Rule & Business Associates (BA)

Privacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Must score 89% or above. If you score below 89%, we will be contacting you to go over the material individually.

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

Your Agency Just Had a Privacy Breach Now What?

Cyber Liability. AlaHA Annual Meeting 2013

HIPPA Goes HITECH. Data Protection for Agents

The HITECH Act: Protect Patients and Your Reputation

Incident Response Plan for PCI-DSS Compliance

Specific observations and recommendations that were discussed with campus management are presented in detail below.

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS

Breach Notification Decision Process 1/1/2014

HIPAA Compliance: Efficient Tools to Follow the Rules

P Mobile Device Security.

HIPAA and HITECH Compliance for Cloud Applications

Information Security Policy

PHI- Protected Health Information

HIPAA Security Rule Compliance

Symantec DLP Overview. Jonathan Jesse ITS Partners

HIPAA Security Risk Analysis for Meaningful Use

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group

Best Practices for DLP Implementation in Healthcare Organizations

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance

Sharing Mental Health Information in Correctional Settings HIPAA and NYS Mental Hygiene Law

What s New with HIPAA? Policy and Enforcement Update

What Data? I m A Trucking Company!

Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721

9/13/2011. Miscellaneous Current Topics in Healthcare Professional Liability. Antitrust Notice. Table of Contents. Cyber Liability.

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

INFORMATION SECURITY California Maritime Academy

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Getting Hip to the HIPAA and HITECH Act Compliance

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

Implementation Business Associates and Breach Notification

Disclaimer 8/8/2014. Current Developments in Privacy and Security Rule Enforcement

HIPAA Final Rule Changes

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

Today s Webcast is presented by Michael, also from the DART Team. Michael will provide

HIPAA Risk Assessments for Physician Practices

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

HIPAA Privacy and Information Security Management Briefing

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security

Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance. For Calendar Years 2009 and 2010

R345, Information Technology Resource Security 1

Transcription:

Information Security Monthly Activity Report* May 2015 VA uses a defense-in-depth approach to information security to protect the data we hold on Veterans. While the defense-in-depth approach protects from inbound threats and contains other data exposing incidents, VA relies on employees to protect Veteran information they handle and transmit. This graphic demonstrates how the layered defense protects Veterans from threats, and where data exposures have occurred for the past month. Threats Blocked or Contained By VA s Defense In Depth 0 VETERANS AFFECTED 0 Notifications 0 Credit Protection Services Offered Of the total # of Veterans affected, 0 were in relation to protected health information incidents, reported to HHS in accordance with the HITECH Act. Intrusion Attempts (Blocked) 336,455,268 Malware (Blocked/Contained) 574,703,578 Suspicious/Malicious Emails (Blocked) 73,986,996 Infected Medical Devices (Contained)** 2 Outgoing Unencrypted Emails 86 Associated Privacy/Security Events 13,457 Total Emails Blocked = threat stopped ** Running total of medical device infections for which remediation efforts are underway. 1,018 VETERANS AFFECTED Reported Events 303 Notifications 715 Credit Protection Services Offered Of the total # of Veterans affected, 361 were in relation to protected health information incidents, reported to HHS in accordance with the HITECH Act. Lost and Stolen Device Incidents 60 Lost PIV Cards 134 = origin of incident Mishandled Incidents 100 Mis-mailed Incidents 162 Paper Mis-mailings 22 Pharmacy-item Mis-mailings out of 6,676,699 Total Mailings * This graphic is a visual depiction of VA s information security defense in depth. It is not intended to provide an exhaustive summary of VA s information security activity. This data, which is extracted from Data Breach Core Team and US-CERT reporting, represents a snapshot in time and is subject to change based on further validation.

DEPARTMENT OF VETERANS AFFAIRS Office of Information and Technology Office of Information Security Incident Resolution Service Monthly Report to Congress of Data Incidents May 1-31, 2015

Security Privacy Ticket Number: DBCT Category: Organization: PSETS0000119467 IT Equipment Inventory VISN 23 Iowa City, IA Date Opened: Date Closed: Date of Initial DBCT Review: VA-NSOC Incident Number: 5/13/2015 5/14/2015 N/A VANSOC0620888 Date US-CERT Notified: 5/13/2015 US-CERT Case Number: US-CERT Category: INC000000468064 Category 1 - Unauthorized Access No. of Credit Monitoring: No. of Loss Notifications: Incident Summary During a routine inventory of VA engineering equipment, it was found that one Dell desktop computer capable of storing VA data could not be located. It is unknown if the hard drive was encrypted or tracking software was deployed on the device, however the device was not used to store or transmit sensitive data. Incident Update 05/14/15: The Incident Resolution Service Team has determined that no data breach has occurred. The workstation did not contain or transmit any sensitive data. Page 2 of 13

Resolution A report of survey has been started for the device and VA Police were contacted as part of the report of survey team. DBCT Decision Date: DBCT This incident was discussed by the DBCT, but no DBCT decision is required. This is informational for IT Equipment Inventory incidents and is the representative ticket. There were a total of 4 IT Equipment Inventory Incidents this reporting period. Because of repetition, the other 3 are not included in this report. Page 3 of 13

Security Privacy Ticket Number: DBCT Category: Organization: PSETS0000119530 Unencrypted Laptop Missing VISN 19 Fort Harrison, MT Date Opened: Date Closed: Date of Initial DBCT Review: VA-NSOC Incident Number: 5/14/2015 5/29/2015 N/A VANSOC0620953 Date US-CERT Notified: 5/14/2015 US-CERT Case Number: US-CERT Category: INC000000468473 Category 6 - Investigation No. of Credit Monitoring: No. of Loss Notifications: Incident Summary The Information Security Officer (ISO) and Fiscal Department were notified on 05/13/15 of a Samsung Galaxy tablet belonging to the Women's Health Project that was mailed to the wrong Community Based Outpatient Clinic (CBOC) location, and could not be located after 03/30/15. Incident Update 05/18/15: The tablet was neither encrypted nor connected to the VA network and did not contain any sensitive VA data. No breach has occurred. Resolution Tablets will have now labels on them warning users not to enter or store any sensitive information on them. Also, users will be reinstructed to contact the ISO as soon as one is known to be missing. Page 4 of 13

DBCT Decision Date: DBCT No DBCT decision was required. This was left on the report as it is missing unencrypted equipment. Page 5 of 13

Security Privacy Ticket Number: DBCT Category: Organization: PSETS0000119811 Mishandling VBA Portland, OR Date Opened: Date Closed: Date of Initial DBCT Review: VA-NSOC Incident Number: 5/21/2015 6/1/2015 5/26/2015 VANSOC0621229 Date US-CERT Notified: 5/21/2015 US-CERT Case Number: US-CERT Category: INC000000470328 Category 4- Improper Usage No. of Credit Monitoring: 508 No. of Loss Notifications: Incident Summary A Vocational Rehabilitation and Employment (VR&E) employee emailed 508 Veteran names and SSNs incorrectly to an outside entity. The information was on a spreadsheet. The individual who received the information was a Veteran who was a client of the VR&E employee. Incident Update 05/21/15: The Incident Resolution Service Team has determined that 508 Veterans will be sent a letter offering credit protection services. Resolution The VR&E employee was counseled by the supervisor. Page 6 of 13

DBCT Decision Date: 05/26/2015 DBCT 05/26/2015: This incident was briefed to the DBCT due to the numbers of individuals involved. The DBCT concurred that 508 Veterans will be offered credit protection services. Page 7 of 13

Security Privacy Ticket Number: DBCT Category: Organization: PSETS0000119835 Mishandling VISN 11 Ann Arbor, MI Date Opened: 5/21/2015 Date Closed: Date of Initial DBCT Review: VA-NSOC Incident Number: N/A VANSOC0621251 Date US-CERT Notified: 5/21/2015 US-CERT Case Number: US-CERT Category: INC000000470413 Category 6 - Investigation No. of Credit Monitoring: 29 No. of Loss Notifications: Incident Summary An Ambulatory Care Medical Support Assistant (MSA) was given a Patient Treatment File (PTF) Patient List along with patient labs by an RN and instructed to fax the documents to the patient. The PTF list included 29 inpatient full names, full SSNs, location in facility, doctor's name, and home phone number. Incident Update 05/22/15: The Incident Resolution Service Team has determined that the 29 Veterans whose information was disclosed will be sent letters offering credit protection services. Page 8 of 13

DBCT Decision Date: DBCT No DBCT decision is required. This is informational for Mishandling incidents and is the representative ticket. There were a total of 100 Mishandling incidents this reporting period. Because of repetition, the other 99 are not included in this report. In all incidents, Veterans will receive a notification letter and/or credit monitoring will be offered if appropriate. Page 9 of 13

Security Privacy Ticket Number: DBCT Category: Organization: PSETS0000119968 CMOP Mismailed VHA CMOP Tucson, AZ Date Opened: Date Closed: Date of Initial DBCT Review: VA-NSOC Incident Number: 5/27/2015 6/2/2015 N/A VANSOC0621379 Date US-CERT Notified: 5/27/2015 US-CERT Case Number: US-CERT Category: INC000000471544, Category 6 - Investigation No. of Credit Monitoring: No. of Loss Notifications: 15 Incident Summary Fifteen patient's received a Consolidated Mail Outpatient Pharmacy (CMOP) prescription package intended for fifteen other patient's. Fifteen patient's name and type of medication were disclosed. No SSN data was compromised. The Patients reported the incident to the medical center and a replacement has been requested for Patients whose medications were mismailed. The Tucson CMOP investigation concludes that this was a mail consolidator error. The packing labels were misapplied to the packages. The mail consolidator has been notified of the error and will take corrective action. Incident Update 05/27/15: The Incident Resolution Service Team has determined that 15 Veterans will be sent a HIPAA notification letter due to Protected Health Information (PHI) being disclosed. Page 10 of 13

Resolution On 5/27/15, the mail consolidator was notified of the error and will take corrective action. DBCT Decision Date: DBCT No DBCT decision is required. This is informational for Mismailed CMOP incidents and is the representative ticket. There were a total of 22 Mismailed CMOP incidents out of 6,676,699 total packages (9,954,473 total prescriptions) mailed out for this reporting period. Because of repetition, the other 21 are not included in this report. In all incidents, Veterans will receive a notification letter. Page 11 of 13

Security Privacy Ticket Number: DBCT Category: Organization: PSETS0000119995 Mismailed VBA Milwaukee, WI Date Opened: Date Closed: Date of Initial DBCT Review: VA-NSOC Incident Number: 5/27/2015 5/28/2015 N/A VANSOC0621408 Date US-CERT Notified: 5/27/2015 US-CERT Case Number: US-CERT Category: INC000000471659 Category 6 - Investigation No. of Credit Monitoring: 1 No. of Loss Notifications: Incident Summary A letter addressed to Veteran A was included in the correspondence package sent to and recieved by Veteran B. Incident Update 05/27/15: The Incident Resolution Service Team has determined that Veteran A will be sent a letter offering credit protection services. Resolution The employee responsible for the mismailing was re-educated on proper procedures on 05/28/15. Page 12 of 13

DBCT Decision Date: DBCT No DBCT decision is required. This is informational for Mismailed incidents and is the representative ticket. There were a total of 162 Mismailed incidents this reporting period. Because of repetition, the other 161 are not included in this report. In all incidents, Veterans will receive a notification letter and/or credit monitoring will be offered if appropriate. Page 13 of 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information