Incident Management and Response
How to Report a Privacy Incident
What is a Privacy Incident?
A privacy incident is any event that has resulted in, or has the potential to result in, unauthorized access to or disclosure of the Department of Veterans Affairs (VA) sensitive personal information (SPI), including personally identifiable information (PII) and protected health information (PHI), whether physical or electronic, in a manner not permitted under the applicable confidentiality provisions.
Reporting a Privacy Incident
Always report suspected or confirmed privacy incidents to your local VA facility Privacy Officer. To locate your local Privacy Officer, you must contact your local VA Facility or you may email VA Privacy Service at firstname.lastname@example.org
Be Ready to Submit:
The caller should be prepared to answer questions about the privacy incident such as:
- • Caller’s name
- • Phone number
- • Location
- • Date of incident
- • What was lost, compromised or disclosed?
- • What happened?
- • Was data encrypted if it was an electronic device?
- • Was the electronic device turned on, and if so, was it password protected?
Sensitive Personal Information (SPI):
SPI, as defined in VA Handbook 6500, is any information about the individual maintained by an agency, including the following: (i) education, financial transactions, medical history, and criminal or employment history; and (ii) information that can be used to distinguish or trace the individual’s identity, including name, Social Security number, date and place of birth, mother’s maiden name, or biometric records.
Personally Identifiable Information (PII):
PII, as defined in VA Handbook 6500, is any information about an individual that can be used to distinguish or trace an individual’s identity, alone or when combined with other information which is linked or linkable to a specific individual, such as: name, Social Security number, date and place of birth, mother’s maiden name, telephone number, driver’s license number, credit card number, photograph, finger prints, biometric records, education, financial transactions, medical history, and criminal or employment history, etc.
Protected Health Information (PHI):
PHI, as defined in VA Handbook 6500, is individually identifiable health information held by a covered entity or by a business associate acting on its behalf.