The Department of Veterans Affairs admitted it failed to protect the COVID-19 vaccination status data for about 500,000 of its employees after a spreadsheet containing the information was improperly shared in October 2021, FedScoop reported Nov. 30.
In 2021, the names and vaccination statuses of approximately 500,000 employees were disclosed without permission when a spreadsheet containing the information was sent to various members of Veterans Health Administration senior leadership.
"Upon internal review, the VA agrees that the information contained in these documents should not have been placed on SharePoint without appropriate access permissions and this incident resulted in the inadvertent or unauthorized transmissions or disclosure of sensitive personal information," said Jessica Bonjorni, chief of human capital management for the VA.
Under HIPAA, regulated entities are prohibited from disclosing an individual's protected health information, which includes COVID-19 vaccination status.
The VA removed the spreadsheet containing employees' medical information following the internal investigation by the VA's Data Breach Response Service.