The U.S. Department of Veterans Affairs has admitted that it failed to adequately protect COVID-19 vaccination status data for about 500,000 of its employees.
Following an internal investigation by the VA’s Data Breach Response Service, the agency removed a spreadsheet containing personal details including vaccination status, according to a notice sent to the agency’s bargaining unit employees that was obtained by FedScoop. Federal Times first reported about the data breach.
Approximately 500,000 employees’ vaccination records were last year disclosed without permission and were sent to various members of Veterans Health Administration (VHA) senior leadership, according to the American Federation of Government Employee’s (AFGE) union, which filed a grievance.
Under the Health Insurance Portability and Accountability Act, regulated entities are prohibited from disclosing an individual’s protected health information, which includes COVID-19 vaccination status.
“Upon internal review, the VA agrees that the information contained in these documents should not have been placed on SharePoint without appropriate access permissions and this incident resulted in the inadvertent or unauthorized transmissions or disclosure of sensitive personal information,” said Jessica Bonjorni, chief of human capital management for the VA said in a notice to AFGE bargaining unit members on Nov. 9 and Nov. 10.
“Offering the highest levels of privacy protection to VA employees remains a top priority for both VA and AFGE. VA has investigated the matter, and the at-issue spreadsheet has been removed,” she added.
The spreadsheet that was incorrectly disclosed in the data breach in October 2021 included employee names and indicated whether or not they had been vaccinated, according to the AFGE National VA Council.
A VA spokesperson said: “VA remains committed to providing the highest levels of privacy protection to its employees. We investigated this matter and concluded on November 16, 2021, that the breach demonstrated a low risk of compromise.”
The emailed notice sent by Bonjorni said that the agency will complete any additional required investigations.
Editor’s note, 12/1/22: This story was updated to include comment from the VA.