Attention A T users. To access the menus on this page please perform the following steps. 1. Please switch auto forms mode to off. 2. Hit enter to expand a main menu option (Health, Benefits, etc). 3. To enter and activate the submenu links, hit the down arrow. You will now be able to tab or arrow up or down through the submenu options to access/activate the submenu links.

VA Privacy Service


Incident Management and Response

How to Report a Privacy Incident

What is a Privacy Incident?

A privacy incident is any event that has resulted in, or has the potential to result in, unauthorized access to or disclosure of the Department of Veterans Affairs (VA) sensitive personal information (SPI), including personally identifiable information (PII) and protected health information (PHI), whether physical or electronic, in a manner not permitted under the applicable confidentiality provisions.

Reporting a Privacy Incident

Always report suspected or confirmed privacy incidents to your local VA facility Privacy Officer

Be Ready to Submit:

The caller should be prepared to answer questions about the privacy incident such as:

  • • Caller’s name
  • • Phone number
  • • Office (location)
  • • Date of incident
  • • What was lost, compromised or disclosed?
  • • What happened?
  • • Was data encrypted if it was an electronic device?
  • • Was the electronic device turned on, and if so, was it password protected?

Contact your local Privacy Officer

Or email VA Privacy Service at privacyservice@va.gov

Learn More About Privacy Incidents

Examples of Privacy Incidents:

Hacker obtains information from laptops; unauthorized access to personnel files; papers left on community printer with names, addresses and account numbers; employee roster posted on portal disclosing name, personal cell phone number and home address; key logger gains access to a computer and its accounts.

Privacy Incident Prevention

Security and privacy policies and system security controls are the primary mechanisms for preventing and reducing the number of data breaches and privacy incidents. VA personnel ensures that appropriate policies and controls exist to protect SPI and VA information systems using, storing and transmitting SPI.

Privacy Incident Detection, Reporting and Analysis

Privacy incident detection and reporting occurs either through technical detection or reporting of the event. VA employees must immediately report to their supervisor, Privacy Officer (PO), and Information System Security Officer (ISSO) any privacy event involving the compromise of any VA sensitive information. The PO and/or ISSO will promptly report the privacy incident (within one hour of notification) to the VA-Network Security Operations Center (VA-NSOC) in accordance with the Office of Information and Technology (OIT) Incident Management procedures.

Corrective/Mitigation Action

After a privacy incident has been detected and reported, it gets contained. The steps to contain the event vary. Depending on the results of the analysis, recovery activities may include training employees on applicable policy and proper procedures and providing notice or credit protection services to individuals whose SPI was compromised in a data breach. While engaging in these activities, VA officials will also collect evidence to support potential legal proceedings.

Post-Incident Activity

Post-incident activity involves:

  • • Asking questions about the incident, such as what happened, when it happened and how well staff and management
  • • Confirming that the privacy incident is closed by addressing the event in writing and providing closure;
  • • Using collected privacy incident information to improve processes and retain evidence.