VA employees go dumpster diving to protect sensitive data

The Veterans Administration will go to extreme lengths to protect patient data, including dumpster diving, Chief Information Officer Roger Baker said in his regular press call on the VA data breach reports sent monthly with Congress

VA tracks patient food trays in its hospitals with meal tickets that include the name and last four digits of the patient's Social Security number, along with dietary information. Department policy calls for shredding the tickets when trays are returned to the kitchen, Baker said.

But the December 2010 data breach report showed that the Tuscaloosa, Ala., VA Medical Center did not follow this policy when its kitchen shredder broke down, Baker said.

Instead, kitchen employees threw the meal tickets into a trash can that contained food waste and processed everything through a pulping machine. That does not meet VA standards for the destruction of paper with personally identifiable information.

Alerted to the breach by an unnamed employee, the privacy officer and the chief of nutrition services at Tuscaloosa hospital did some dumpster diving, Baker said. They retrieved a garbage bag that contained 58 meal tickets, which were to be shredded later (Baker didn't know Friday if the shredder had been fixed yet).

Baker said the incident demonstrates VA has developed a culture where employees, if necessary, will take extraordinary steps to protect sensitive veteran information.