Privacy violations on the rise at Minnesota's VA facilities

With chronic pain in his neck and back and a brain injury from his days in the service, it wasn't a surprise that Air Force veteran Ben Krause had a huge file at the Minneapolis Veterans Affairs offices: more than a thousand pages of confidential and sensitive information dealing with medical issues, vocational rehab and disability compensation.

What was a surprise is what happened when Krause requested copies of his file last year. The VA sent them to someone else.

The VA had used an outdated address. Krause never found out who received his file, which contained medical information, his Social Security number and information about his daughter. After the VA was told about the problem, it offered Krause a year's worth of credit protection.

With that, Krause became a member of what appears to be a widening club: the number of veterans whose privacy has been breached by employees and contractors at VA hospitals, community clinics and benefit centers.

"They delivered them to somebody who was not me, who signed for it, then I never got them, and VA's response was, 'whoops,' " Krause said.

Since 2011, there have been 240 cases of reported privacy violations at VA facilities in St. Paul, Minneapolis, St. Cloud and various clinics around the state. From 2011 to 2015, the number of violations has more than doubled.

The violations include one veteran receiving a photo in the mail of another veteran's colonoscopy, one provider discussing a patient's diagnosis with the patient's real estate agent, VA workers snooping into the records of patients whose names have appeared in the news, and some widows receiving discharge papers and awards belonging to unrelated vets.

The disclosures are contained in a database built by the investigative journalism organization ProPublica and shared with the Star Tribune. Working with data obtained through the Freedom of Information Act, ProPublica's national investigation found that employees and contractors at VA medical centers, clinics, pharmacies and benefit centers commit thousands of privacy violations each year and have racked up more than 10,000 since 2011.

The VA said the challenges it faces in keeping patient information secure are similar to those experienced by others in the private and public sectors. It said it takes its patients' privacy seriously and its policies and guidelines go beyond what is required by law.

"Inappropriate access of patient health records, either during or post treatment, is absolutely unacceptable and in violation of privacy laws and regulations, VA policies and procedures, and our principles," the VA said in a prepared statement.

But the disclosures indicate the VA's handling of its cases differs from those of other health care providers. The VA remains embroiled in scandals over manipulated appointment wait times and from revelations that the medical information of whistleblowers sometimes has been accessed by the VA in an apparent attempt to discredit them.

Last year, the head of the office that investigates VA whistleblower complaints told a Senate committee that "systematic changes" were needed in how the VA keeps records.

"It is too easy right now for a mischief-minded employee to enter the medical record system and access information on his or her co-workers," Carolyn Lerner said in written testimony.

The Minnesota cases run the gamut, from simple clerical errors to outright maliciousness:

• In 2013, one veteran opened his mail to discover a picture of the inside of another veteran's colon, taken during the veteran's colonoscopy at the St. Cloud VA. A nurse did not clear the camera to set up for the next patient and when the system printed the photos it included the veteran's name, birth date, Social Security number and date of the procedure, along with the provider's name.

• In 2014, a former VA supervisor in Minneapolis called a retired VA employee and claimed she knew about his health problems from another VA supervisor.

• In 2011, an employee of the Minneapolis VA snooped in the chart of a vet who had been in the news, even though it wasn't part of the employee's official duties. The worker admitted looking in the chart out of curiosity and was written up for disciplinary action. The following year, a research contract worker accessed the chart of another high-profile patient who was in the news.

• In another 2011 case in Minneapolis, clerks in a clinic were overheard by a patient and his daughter discussing a veteran enrolled at the clinic who had been identified in the local news media after being charged with a crime.

The 2011 to 2015 data provided to ProPublica for their investigation included the outcome of the breaches but does not indicate whether any employee was disciplined.

Asked whether workers were disciplined in the Minnesota cases, officials from Minnesota VA facilities referred all questions to a VA spokesman in Washington and provided a fact sheet on the VA's response to protect the privacy of its patients. The VA spokesman in Washington did not respond to a request for information.

While the VA has indicated it will pursue discipline, it said in its fact sheet that it relies heavily on workers admitting their own mistakes.

"Self-reporting is more consistent when punishment is de-emphasized over training and clear incident response," the VA said.

When an individual's medical record is accessed, it generates a report, which shows who has accessed the information and when. Additional audit records for the electronic health record are reviewed for signs of any inappropriate or suspicious activity or suspected violations.

The VA requires annual privacy and information security training of all employees and contractors. An Incident Response Team assesses any reported risk and arranges credit monitoring for the individual whose information is involved.

The VA may have misplaced the wrong vet's confidential information in the case of Ben Krause.

Krause is also an attorney who often represents veterans in cases against the VA and has been a frequent critic of it in his blog, disabledveterans.org. Krause says the use of third-party contractors appears to contribute to confusion, as does a system, much of it paper-generated, that is not coordinated or automatically updated. A failure to hold workers accountable also likely adds to problems, he said.

While HIPAA violations can carry economic penalties, it's virtually impossible to sue the VA over other privacy breaches because a prospective plaintiff would need to prove real economic damage, Krause said.

"They don't have the same kind of fear of God like some normal Joe Schmo, where they are held personally accountable," Krause said of the VA. "These individuals in the federal government are above the law, and it's the taxpayer that has to foot the bill every time there is a mistake."

Mark Brunswick • 612-673-4434