Two sets of patient data were downloaded and recorded onto a personal laptop by a physician’s assistant in the Atlanta VA Medical Center. The Department of Veterans Affairs (VA) Inspector General initiated a criminal investigation into the downloading. One of the sets of information contained 3 years of patient data. The other contained medical information going back 18 years.
It is possible that while the physician’s assistant’s laptop was never directly connected to the VA’s network, the information could still have been removed from the network. To date, the VA has not released information as to how many veteran-patients may be affected or involved or if they are even planning on notifying those veterans.
The VA’s Office of Information and Technology is currently working to determine the specific details of the information removed from the VA network. The results of their findings will allow the VA to determine how to proceed. What is known so far is that some of the information came from an unapproved research project.
The VA has a standing rule against connecting personal computers to the VA network. They also encrypt all the data stored on the VA network. It is unclear however, what effect this safeguards had on the downloaded information.
The burden is on the medical center to retain and control their records, not the patient. While the investigation is still ongoing, hopefully there will be no damage done to the veteran-patients.