Vets lose privacy lawsuit against VA after unencrypted data is stolen from hospital
This article first appeared on CyberScoop.
After multiple thefts and data breaches related to the unencrypted personal information of 7,400 U.S. veterans out of a Veterans Affairs hospital, an appeals court dismissed a lawsuit this month in which patients alleged violations of the Privacy Act and Administrative Procedure Act.
The veterans claimed at least seventeen more data breaches have occurred at Wm. Jennings Bryan Dorn VA Medical Center hospital in Columbia, S.C. since litigation began, a claim called “undoubtedly concerning” by Fourth Circuit Judge Albert Diaz.
Veterans Richard G. Beck, Lakreshia R. Jeffery, Beverly Watson, Cheryl Gajadhar and Jeffery Willhite launched the suit seeking damages for the Department of Veterans Affairs “failures” and “violations” of the privacy act that caused the 7,400 patients “embarrassment, inconvenience, unfairness, mental distress, and the threat of current and future substantial harm from identity theft and other misuse of their personal information.”
The plaintiffs also sought to stop the VA from moving patient information to portable devices until information security was improved.
Two particular thefts launched this litigation. In 2013, a laptop containing unencrypted personal information for 7,400 patients was stolen from the hospital. In 2014, four boxes of medical reports and personal data for over 2,000 patients was “misplaced or stolen.” The reports contain identifying information of over 2,000 patients, including names, social security numbers, and medical diagnoses.
Hospital officials alerted those affected, as they did following the laptop’s disappearance, and offered each of them one year of free credit monitoring.
The stolen laptop incident came just months after a report that unencrypted data on 20 million veterans had been stolen by at least eight foreign nations including China, according to department officials testifying before Congress.
Neither the laptop or the boxes have not been recovered. It’s not clear if the data has ever been used or if any of the veterans have suffered identity theft because of the theft.
As a result of the lack of clear victimization, Judge Diaz called the lawsuit’s allegations insufficient and speculative to show that real harm or risk was present. The plaintiffs pointed to the money they spent buying credit and identity monitoring but that too was deemed speculative by the court.
You can read the court’s opinion here.