VA doctors' foray into cloud causes potential breach

Yahoo calendar held patient names, surgeries

The Veterans Affairs Department has ordered an immediate shutdown of a cloud application on the Yahoo website that VA doctors were using to store patients’ medical information without appropriate data security controls, officials said.

Notifications of a possible security breach will be sent to 878 patients, according to VA’s "Monthly Report to Congress on Data Incidents" for November, released by the department Dec. 22.

The breach, which is referred to as a mishandling of electronic information, came to the attention of VA's information security authorities on Nov. 23 when they discovered that physicians and employees in a VA hospital orthopedics department were maintaining a calendar of patient medical data on a Yahoo.com cloud application.


Related stories:

Unencrypted thumb drive causes breach at VA

VA data breach reports available online


The calendar has existed since 2007 and was protected by a single password shared by a number of people. The password had not been changed in the three years of operation.

The calendar contained full names, dates and types of surgery, and the last four digits of Social Security numbers for nearly 900 patients, the report states.

VA’s National Security Operations Center ordered the calendar to be closed Nov. 24. All entries were deleted, and the patients are to be notified of the possible breach.

Roger Baker, VA's assistant secretary for information and technology, said Dec. 22 the incident was an example of the need for better and more secure IT tools for VA employees, including cloud-based tools.

The report notes that all VA doctors have access to a secure VA network to store patient information and a Microsoft Excel application to schedule appointments and surgeries.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.

Featured

  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Sat, Oct 1, 2011 GBOGH Annandale, VA

No wonder doctors where using a cloud based calendar. Why is Microsoft Excel being used at the VA for scheduling appointments and surguries? $3.2 billion a year in discretionary IT budget should allow for building or buying a better patient scheduling application.

Fri, Jan 21, 2011 Tom Boston

So when are the monetary fines and punishments promised by HIPAA going to kick in and actually penalize the staff for flagrant violations of compliance??? HIPAA has raised the cost of healthcare, ostensibly for the public good, why not start collecting? Now.

Tue, Jan 4, 2011

Seriously? Of course IT is a pain with their security requirements, governments and businesses require us to be that way. That doesn't give the right for providers to do reckless things that their HIPAA training told them not to do.
Imagine if your bank issued everyone the same pin number for each debit card they issued, and then shared all kinds of account information with anyone who might happen to have the pin.
How about throwing your payroll, dob, ssn, and other personal data out on a Yahoo account and play share the password. What is more appalling is that people that pull these kinds of stunts usually use passwords like 12345. Hmmm wonder how many hackers have seen the data?

Wed, Dec 29, 2010

I'm sure there are lots of such things going on. Perhaps that "IT dept. is a pain with their security requirements" syndrome.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above