Incident Management and Response
How to Report a Privacy Incident
What is a Privacy Incident?
A privacy incident is any event that has resulted in, or has the potential to result in, unauthorized access to or disclosure of the Department of Veterans Affairs (VA) sensitive personal information (SPI), including personally identifiable information (PII) and protected health information (PHI), whether physical or electronic, in a manner not permitted under the applicable confidentiality provisions.
Reporting a Privacy Incident
Always report suspected or confirmed privacy incidents to your local VA facility Privacy Officer
Be Ready to Submit:
The caller should be prepared to answer questions about the privacy incident such as:
- • Caller’s name
- • Phone number
- • Office (location)
- • Date of incident
- • What was lost, compromised or disclosed?
- • What happened?
- • Was data encrypted if it was an electronic device?
- • Was the electronic device turned on, and if so, was it password protected?
Contact your local Privacy Officer
Or email VA Privacy Service at firstname.lastname@example.org
Learn More About Privacy Incidents
Examples of Privacy Incidents:
Hacker obtains information from laptops; unauthorized access to personnel files; papers left on community printer with names, addresses and account numbers; employee roster posted on portal disclosing name, personal cell phone number and home address; key logger gains access to a computer and its accounts.
Privacy Incident Prevention
Security and privacy policies and system security controls are the primary mechanisms for preventing and reducing the number of data breaches and privacy incidents. VA personnel ensures that appropriate policies and controls exist to protect SPI and VA information systems using, storing and transmitting SPI.
Privacy Incident Detection, Reporting and Analysis
Privacy incident detection and reporting occurs either through technical detection or reporting of the event. VA employees must immediately report to their supervisor, Privacy Officer (PO), and Information System Security Officer (ISSO) any privacy event involving the compromise of any VA sensitive information. The PO and/or ISSO will promptly report the privacy incident (within one hour of notification) to the VA-Network Security Operations Center (VA-NSOC) in accordance with the Office of Information and Technology (OIT) Incident Management procedures.
After a privacy incident has been detected and reported, it gets contained. The steps to contain the event vary. Depending on the results of the analysis, recovery activities may include training employees on applicable policy and proper procedures and providing notice or credit protection services to individuals whose SPI was compromised in a data breach. While engaging in these activities, VA officials will also collect evidence to support potential legal proceedings.
Post-incident activity involves:
- • Asking questions about the incident, such as what happened, when it happened and how well staff and management
- • Confirming that the privacy incident is closed by addressing the event in writing and providing closure;
- • Using collected privacy incident information to improve processes and retain evidence.