The Department of Veterans Affairs racked up over 10,000 serious breaches of privacy since 2011, making it “the nation’s most prolific violator of laws protecting patients’ personal medical information,” as the Washington Examiner puts it.
The offenders suffered no serious consequences, and the agency’s official watchdogs failed to bark.
Some of these breaches could be chalked up to incompetence, such as the story of Anthony McCann detailed by NPR. McCann opened an envelope from the VA and found it stuffed with 250 pages of somebody else’s highly sensitive medical records. It was not the first time this happened to him, or the first time he complained to the unresponsive VA bureaucracy about it. On this occasion, he was reluctant to return the other veterans’ documents to VA officials, because he no longer trusted them to take proper care of the information.
Other incidents were blatant examples of VA employees rooting around in medical files because they were curious, particularly when veterans attempted or committed suicide.
However, many of these privacy violations can only be seen as sheer contempt for America’s veterans. One example had a VA employee digging into a veteran’s medical records sixty-one times without any good reason, and posting the patient’s confidential information on Facebook. The employee got a two-week suspension (the violation report does not say if her pay was docked, but paid vacations are the preferred “punishment” across the Obama Administration) and kept her job.
Other cases described in report, published by ProPublica, were deliberate violations of medical privacy undertaken as retaliation against personal adversaries (such as former spouses) and whistleblowers, research for political campaigns, or even just for fun, as with a 2011 incident in which images of “an ailing veteran’s exposed buttocks” were posted on Facebook by a patient assistant.
On the other hand, NPR notes that whistleblowers have also complained that privacy laws were “used as a sword against them,” with accusations of privacy violation leveled at those who were gathering information about VA problems for reports to Congress.
The Department of Veterans Affairs was not the only HIPAA (Health Insurance Portability and Accountability Act) violator covered by the ProPublica report cited by the Examiner, and there was no punitive action taken against any of the private-sector violators, either. At most, there were some “reminders” given to offenders that amounted to bureaucratic nagging. That is not comforting to patients who were under the impression stiff penalties awaited those who would violate their confidentiality.
It is especially galling at the scandal-plagued Department of Veterans Affairs, whose many sins include greedy bureaucrats setting themselves up for unwarranted bonuses, neglect that led to the death of ailing veterans, and now thousands of examples of both carelessness and active contempt for patient privacy. The VA should be a source of pride for the American people, not a shameful embarrassment that disgusts the general public and enrages vets and their loved ones.
“For years, VA officials have been saying they take privacy violations and data loss ‘very seriously,’ yet in many cases those responsible for intentionally and wrongfully committing these acts face no serious discipline,” House Veterans Affairs Committee chair Jeff Miller (R-FL) said to the Examiner.
“After listening to VA leaders speak, it’s no wonder why the organization has lost so much trust with the veterans it is charged with serving,” Miller continued. “VA officials say they don’t tolerate whistleblower retaliation, but the facts prove that they do. VA officials say they are committed to accountability, but time and again the behavior of corrupt and incompetent employees goes virtually unpunished.”
These privacy violations are not a new problem. They are not a technological challenge, or a result of insufficient funding. The response from Department brass consists of ritual assurances that veteran’s privacy is taken very seriously, but it clearly isn’t. The Office of Civil Rights in the Department of Health and Human Services is supposed to enforce HIPAA, against both government agencies and private providers, but it clearly isn’t.