PITTSBURGH (AP) — Karen Santoro heard co-workers chattering about her psychological care in 2010.
An Air Force veteran and surgical services scheduler at the Veterans’ Affairs Pittsburgh hospital in Oakland, Santoro asked officials with the agency and the Department of Health and Human Services to investigate the apparent privacy violation. The talk seemed to violate the federal Health Insurance Portability and Accountability Act, or HIPPA, which prohibits release of medical information.
Advised by her physician, Santoro asked to be transferred or work from home until investigators finished their work. They refused. She resigned in mid-2011. She is convinced that officials were retaliating against her, and was concerned by “inaction” by Health and Human Services.
“It’s unconscionable that the very people who defend the rights of the American people don’t have those rights at (the) VA,” said Santoro, 46, of Pittsburgh. “We must fight back and change the system because we deserve a better one.”
A two-month Pittsburgh Tribune-Review investigation found Veterans Administration workers or contractors committed 14,215 privacy violations at 167 facilities from 2010 through May 31, victimizing at least 101,018 veterans and 551 agency employees. Some had photos of their anatomy posted on social media; others had their stolen IDs used to make fraudulent credit cards.
“Protecting the privacy of every American is important, but you would think that we would be very careful when it came to our veterans. They sure earned it,” said Deven McGraw, director of the Washington-based Health Privacy Project of the nonprofit Center for Democracy and Technology.
In a written statement, agency spokeswoman Genevieve Billia said the Veterans Administration “places the highest priority upon safeguarding the personal information” of veterans and uses technology to protect records. The agency takes privacy breaches “very seriously and has established strict guidelines that go beyond what is required by law,” she said.
The Veterans Administration led the nation in digitizing medical records, and that gives employees access to health and financial records with a few keystrokes. The Tribune-Review’s analysis of reports filed with the agency’s Risk Management and Incident Response Resolution Team found a pattern of illegal snooping through patient files, or lost sensitive data such as Social Security numbers.
Eleven times since 2010, criminal investigators discovered agency employees in Massachusetts, Ohio, Virginia, Florida and Washington stealing veterans’ identities or prescriptions. The outcome of those cases remains private.
In 2012, a medical clerk in Miami was sentenced to two years in prison for selling undercover agents data belonging to 22 veterans. A patient service assistant in Muskogee, Okla., snapped a photo of an ailing veteran’s exposed buttocks in 2011 and then, for reasons unknown, posted the picture on Facebook. Hers is not an isolated incident: at least 15 times over the past three years, workers put images of sick vets or revealed patients’ health information on social media.
“In this case, I don’t know what’s worse: that hundreds of VA employees and managers willfully and blatantly violated veterans’ privacy, or the fact that VA officials have refused to issue any sort of serious punishment in all but a fraction of these incidents,” said Rep. Jeff Miller, R-Fla., who chairs the House Committee of Veterans’ Affairs.