An investigation by the Veterans Affairs Office of Inspector General (OIG) into HIPAA violations by business associates is a reminder to covered entities about the risk from these partners.
The investigation was prompted by a December 2014 call to the OIG’s hotline with an allegation that ProCare Home Medical (ProCare) was improperly storing and sharing VA sensitive data on contractor personal devices in violation of federal information security standards. The caller claimed that ProCare was allowing its employees to use personal computers and phones to access the company computer system and download VA sensitive data, including veterans’ personal health information.
“We substantiated the allegation that ProCare employees, according to its staff, accessed electronic sensitive veteran data with their personal computers from home through an unauthorized cloud-based system without encryption controls,” the VA OIG reported recently. “We also noted that ProCare employees or malicious users could potentially use personal devices on an unauthorized wireless network to access sensitive veteran information. In addition, we determined that ProCare was storing sensitive hard copy and electronic veteran information in an unsecured manner at their facility.”
ProCare could not provide evidence that applicable ProCare personnel had completed VA-required security awareness training or signed the Contractor Rules of Behavior prior to receiving access to VA sensitive data, the report said.
“These security deficiencies occurred because VA did not provide effective oversight of ProCare personnel to ensure the appropriate protection of veteran information at the contractor facility,” the OIG reported. “As a result, veteran sensitive information was vulnerable to loss, theft, and misuse, including identity theft or fraud.”
The OIG recommended the VA provide more oversight and conduct a site assessment of ProCare information security controls to ensure compliance with VA information security requirements. The report is available online at: http://bit.ly/2dtndsE.
