Monday, May 22, 2006

VA Data Stolen: What impact on public perception of privacy of health information?

What impact will the release of personal information of approximately 26.5 million veterans records have on the publics perception of privacy of health information and the movement toward an electronic health information system?

The reports that I've read indicate that medical information was not included in the electronic data stolen. The data stolen did contain personal information, including name, social security number, date of birth and certain disability rating information. The data was stolen after an VA employee took the unencrypted records home on a laptop computer and the laptop was stolen from his residence.

For more details check out the Veterans Administrations official public information on the data security issue and Information on Veterans Affairs Data Security Issue.

UPDATE: As expected, a class action has been filed seeking $1,000 in damages for each person impacted by the data breach. With over 26 million veteran records involved, this could amount to an estimated $26.5 billion in damages.

The class action lawsuit was filed on June 6, 2006, in the United Stated District Court for the District of Columbia before Judge James Robertson by a coalition of veterans groups, including the Vietnam Veterans of America, Inc., Citizen Soldier, Inc., National Gulf War Resource Center, Inc., Radiated Veterans of America, Inc. and Veterans For Peace, Inc. Also, named as plaintiffs in the matter are: Charles L. Clark of Kailua, HI; David Cline of Jersey City, NJ; James E. Malone of Tucson, AZ; and Jon Rowan of Silver Spring, MD. The lawsuit names as defendants: R. James Nicholson, in his Official Capacity as Secretary of Veterans Affairs and the United States Department of Veterans Affairs. Representing the plaintiffs in the class action are L. Gray Geddie and Douglas J. Roskinski with Ogletree, Deakins, Nash, Smoak & Stewart, P.C., Columbia South Carolina.

The action seeks declaratory and injunctive relief and money damages for the violations of the Administrative Procedures Act and the Privacy Act of 1974. The complaint states the, "plaintiffs represent approximately 26,500,000 individuals who have suffered emotional trauma and been placed in fear of identity theft, destruction of credit and financial fraud because of Defendants' reckless disregard for the privacy of these citizen's basic personal information." The complaint contains the details of the laptop theft of a computer and external data storage device from the home of a VA employee and a more detailed description of the nature of the claims alleged by the plaintiffs.

UPDATE2: Also a group of 30 health consumer organizations lead by the Health Privacy Project have asked U.S. Department of Health and Human Services Secretary Mike Leavitt to undertake a compliance review of the VA under the privacy and security regulations of Health Insurance Portability and Accountability Act of 1996 (HIPAA). A copy of the full letter sent to Secretary Leavitt can be found on the Health Privacy Project website.

the 30 groups include:
AIDS Action of Baltimore (MD)
AIDS Action, Washington DC
AIDS Action Committee of Massachusetts, Inc., Boston MA
AIDS Foundation of Chicago (IL)
AIDS Legal Services, Law Foundation of Silicon Valley (CA)
American Academy of HIV Medicine, Washington DC
American Association of People with Disabilities, Washington DC
American Mental Health Counselors Association, Alexandria VA
American Nurses Association, Silver Spring MD
American Psychiatric Association, Washington DC
Bazelon Center for Mental Health Law, Washington DC
Center for Democracy and Technology, Washington DC
Center for HIV Law and Policy, New York NY
Community HIV/AIDS Mobilization Project, New York NY
Consumer Action, Washington DC
Electronic Privacy Information Center, Washington DC
Fairfax County Privacy Council (VA)
HIV/AIDS Law Project, Phoenix AZ
Housing Works, New York and Albany NY, Washington
DC and Jackson MS
Legal Action Center, New York NY
Mental Health Advocacy Project, Law Foundation of Silicon Valley (CA)
National Coordinating Committee for Multiemployer Plans, Washington DC
New York State Black Gay Network, New York NY
Patient Privacy Rights Foundation, Austin TX
Positive Outlook, Ferndale MI
Privacy Rights Clearinghouse, San Diego CA
Privacy Rights Now Coalition, Washington DC
Servicemembers Legal Defense Network, Washington DC
Vietnam Veterans of America, Silver Spring MD
Women's Cancer Advocacy Network, Glen Allen VA

No comments: