Americans from New York to Hawaii are politically charged as we get closer to the primaries in November. Still, recent reports about staff snooping from the U.S. Department of Veterans Affairs (VA) disturb both healthcare professionals and veterans across the nation.
According to information disclosed by VA Inspector General Michael Missal’s office, the administration caught at least a dozen employees snooping into the confidential health records of vice-presidential candidates Tim Walz (D) and J.D. Vance (R). The breach violates HIPAA Privacy Rules and the VA’s code of conduct, casting doubt on the security of its existing members.
Vice-presidential candidates are vulnerable to insider threats — assume your healthcare practice is too. See how ChartRequest can secure your health information today.
What Happened During the VA Staff Snooping Breach?
According to findings first reported by the Washington Post, the VA recently informed the Vance and Walz campaign teams about staff snooping that led to a health information breach for the VP candidates during July and August.
At least a dozen staff members — including a physician and contractor — accessed Vance and Walz’s health records without reasonable cause or authorization. Law enforcement notes that numerous employees viewed sensitive data through the VA’s private computer system connected to government offices.
Investigators concluded that these employees spent significant time viewing the records, raising suspicions about their motives.
At this time, authorities cannot confidently determine the extent of the breach or whether any staff responsible shared these records with persons inside or outside the organization.
Concerns About VA Staff and Security
The VA uncovered the data breach during a routine security sweep of high-profile health accounts registered with the organization.
Tim Walz, campaigning on the Democratic Ticket with current Vice President Kamala Harris, retired from the National Guard in 2005 after serving 24 years.
J.D. Vance served as a military journalist in the Marine Corps between 2003 and 2007 before accepting former president Donald Trump’s offer as running mate.
The VA utilizes nearly 400,000 staff members to provide care and manage the health records of over nine million other registered veterans. As a consequence, many Americans worry about their health confidentiality.
Neither the Justice Department nor the VA Inspector General’s Office commented further on the ongoing investigation.
However, VA press secretary Terrence Hayes stated, “We take the privacy of the Veterans we serve very seriously and have strict policies in place to protect their records. Any attempt to improperly access Veteran records by VA personnel is unacceptable and will not be tolerated.”
Consequences On the 2024 Election and Beyond
The data breach of vice-presidential candidates can be detrimental to national security and erode American confidence in the healthcare system. Bad actors can use this information to threaten the safety of political leaders and exploit vulnerabilities in federal databases.
The effective treatment of millions of veterans could also be at risk if authorities are unable to close and secure gaps quickly. Concerns about whether illegally obtained information can influence voters during the upcoming election may also create unnecessary worry and ethical questions for many Americans.
Penalties for intentionally breaching medical records may include:
- Employee termination
- Referral to local or federal law enforcement
- Civil penalties
- Criminal prosecution
- Administrative sanctions
Fortunately, VA Secretary Denis McDonough reminded staff and members that any violation of HIPAA privacy rules could result in severe disciplinary action. McDonough released the following memo to VA staff on August 30:
“Veteran information should only be accessed when necessary to accomplish officially authorized and assigned duties as an employee, contractor, volunteer or other personnel. Viewing a veteran’s records out of curiosity or concern – or for any purpose that is not directly related to officially authorized and assigned duties – is strictly prohibited.”
Avoid costly HIPAA penalties — start protecting your healthcare practice now!
Regulations Designed to Reduce Breaches
Healthcare providers across the country can look at the recent VA staff snooping data breach — among other high-profile cases — as an example of the risks associated with record storage and delivery. It is important for your organization to maintain legal compliance with HIPAA rules and regulations to avoid these disasters.
Consider these standards when revising your health information data policy:
The Minimum Necessary Rule
While VA physicians have a right to view veterans’ health records in the case of emergencies, treatment, or study, unnecessary examination of member records violates the Minimum Necessary Rule.
In short, this states that providers may only access and release the minimum necessary PHI to fulfill requests and/or provide informed treatment. This protects patients by guaranteeing that their health information is not subject to scrutiny without cause.
HIPAA Breach Notification Rule
The Breach Notification Rule dictates that any organization that suspects a health information breach must report it to the proper authorities and impacted individuals. This obligation varies based on the number of individuals impacted.
In compliance with this rule, the VA notified the candidates’ campaigns and federal authorities about the staff snooping breach.
Failing to comply with this rule may result in severe penalties for the responsible organization, even if insider threats caused the breach. The best way to stay compliant is to never experience a breach, but it’s wise to prepare for the worst-case scenario.
HIPAA Privacy and Security Rules
The HIPAA Security Rule imposes strict technical requirements that help prevent avoidable breaches and identify when unavoidable breaches happen. Read more about the Security Rule here.
The HIPAA Privacy Rule outlines the requirements for protecting patient privacy. This rule outlines authorization requirements, authorized reasons for disclosure, and patient rights. Read more about the Privacy Rule here.
Together, these rules aim to comprehensively protect patient data. The Department of Health and Human Services also outlines ways to reduce the risk of data breaches within your organization.
Strategies include:
- Providing adequate staff training
- Completing routine audits and updates on health databases
- Implementing robust security measures on company computers
Encrypted databases and restricted access to patient records can significantly reduce your risk of experiencing an insider threat.
How Can You Protect Your Practice From Staff Breaches?
The VA is a massive healthcare system, and this staff snooping incident illustrates the risk of breaches regardless of an organization’s size. One key takeaway from this incident, however, is that the VA’s access logs and protocols enabled administrators to identify the breach and take quick action.
By reviewing the access logs of high-profile patients, the VA has managed to identify about a dozen individuals who unlawfully viewed the VP candidates’ records.
Medical records aren’t only at risk when stationary in an EHR system. Records exchange is federally mandated, but traditional methods lack the transparency and reporting necessary to maximize patient privacy and data security.
ChartRequest is designed to make the exchange of medical, imaging, and billing records safe and easy.
Strict access controls and automated monitoring create time-stamped logs to help healthcare professionals ensure organizational compliance. Our data experts use SOC 2, HITRUST, and ISO 27001-certified workflows to maintain legal compliance during every record request.
Your patients’ health confidentiality is our priority. Schedule a consultation to start securing your data with our top-rated platform.
