When Anthony McCann opened a thick manila envelope from the Department of Veterans Affairs last year, he expected to find his own medical records inside.
Instead, he found over 250 pages of deeply revealing personal information on another veteran's mental health.
"It had everything about him, and I could have done anything with it," McCann said in an interview.
It wasn't the first time McCann had received another veteran's medical records. In the past, he informed the VA, then threw away the misdirected documents. This time, after failing to make contact with the other veteran on his own, McCann took the documents to a town hall meeting held by the director of the VA's Tennessee Valley Healthcare System.
When the floor opened for questions, McCann was the first to raise his hand.
"I got 256 pages of another person's extremely confidential, extremely explicit mental health records," he said, waving the documents in his hands, an exchange captured by local media. When an official asked for the documents back, McCann refused, doubting the VA's ability to safeguard the material or make sure it ended up in the right hands. "I don't trust them," McCann told ProPublica. "They don't do what they say they're going to do."
Employees and contractors at VA medical centers, clinics, pharmacies and benefit centers commit thousands of privacy violations each year and have racked up more than 10,000 such incidents since 2011, a ProPublica analysis of VA data shows.
The breaches range from inadvertent mistakes, such as sending documents or prescriptions to the wrong people, to employees' intentional snooping and theft of data. Not all concern medical treatment; some involve data on benefits and compensation.
Many VA facilities and regional networks are chronic offenders, logging dozens of violations year after year.
The VA's Sunshine Healthcare Network, which includes Florida, Puerto Rico and southern Georgia, has had more privacy incidents than any other region, with at least 370 over the past five years, according to ProPublica's analysis. The C.W. Bill Young VA Medical Center in Bay Pines, Fla., had more privacy reports than any other facility, with 112 incidents. (ProPublica's new tool, HIPAA Helper, allows you to read reports on these incidents and search by facility.)
In an interview Tuesday, a VA official said the department considers patient privacy a top priority and that it fares well in comparison with health providers and insurers in the private sector, some of which have been targets of cyberattacks this year. The VA runs the largest integrated health care system in the nation, with 150 hospitals and hundreds of clinics that collectively serve around 9 million patients annually.
"We take any loss of data very seriously," said John Oswalt, the VA's associate deputy assistant secretary for privacy and records management. "Over a third of our employees are veterans. ... We have a vested interest in protecting the data personally, too."
The VA also released a written statement that said, in part, "Inappropriate access of patient health records, either during or post treatment, is absolutely unacceptable and in violation of privacy laws and regulations, VA policies and procedures, and our principles."
Responsibility to act on privacy violations falls both to the VA itself and to the Office for Civil Rights within the Department of Health and Human Services. That's the agency charged with enforcing the Health Insurance Portability and Accountability Act, the federal patient privacy law known as HIPAA. The civil rights office has cited the VA more frequently than any other health provider in the nation, yet it has not sanctioned the VA or publicly identified it as the top HIPAA violator.
VA facilities were the subject of more than 300 privacy complaints to the Office for Civil Rights from 2011 to 2014. In 220 cases, the VA submitted a corrective-action plan or received "technical assistance" on how to comply with the law. (See our previous story.)
Two senators told ProPublica they found the volume of privacy breaches involving the VA to be deeply troubling.
"It's just one more area in which the VA fails to operate in a way that's worthy of our veterans," said Kansas Republican Sen. Jerry Moran, a frequent critic of the VA who serves on the Senate Committee on Veterans' Affairs. "There's 127 community hospitals in Kansas. I have visited each and every one of them. When I visit a hospital, you can sense that they are very cautious about what I see and what I hear when it involves a patient. ... That same kind of attitude ought to exist at the VA."
The VA provides monthly reports to Congress on data breaches and posts them on its website, but these reports don't contain all of the incidents provided to ProPublica under the Freedom of Information Act.
Moran said he would support requiring the VA to report all privacy incidents to Congress.
A 2013 investigation by the Pittsburgh Tribune-Review found that privacy violations were rampant within the VA, affecting tens of thousands of veterans. ProPublica asked for the data provided to the newspaper, as well as all privacy violations since then. The number of reported incidents has increased, the data show.
In fact, from 2011 to 2014, the number of reports per year nearly doubled, from 1,547 to 3,054.
The VA's Oswalt said the increase is less a result of a growing problem and more an indication that the VA has been successful in encouraging employees to report potential breaches.
"I think we have a pretty good track record of getting people to report when they make a mistake or when they observe something happening," he said. "If we were out there punishing people for human error, I think you would see the number of reported incidents go down, but that doesn't serve the needs of the veteran."
Under HIPAA, medical providers are responsible for keeping patients' medical information confidential. Releasing a patient's treatment information without consent is illegal. VA employees who have access to medical records are only supposed to access the minimum necessary in order to perform their jobs.
The majority of the VA privacy incidents appear to be inadvertent ones --medical records left in waiting rooms or faxed to the wrong recipient, for example. But even unintended errors can cause grief, particularly in the case of mistaken identities.
There were several cases of widows who received letters extending sympathy for the death of unrelated veterans and outlining survivor compensation and burial benefits for those veterans.
The privacy incident reports also reveal more systemic issues across the VA: Employees repeatedly accessed the medical records of patients not under their care, from co-workers to suicidal vets to whistleblowers.
For example, in September 2011, after a veteran committed suicide on the grounds of a VA facility in Biloxi, Miss., more than 40 employees accessed his medical records. In response, the VA provided training and a reminder about privacy laws and sent the veteran's family a letter informing them of the violation.
Two years later, a VA employee who worked at the same facility in Biloxi committed suicide and, again, several co-workers inappropriately snooped in the medical records.
In January 2015, a veteran who works at C.W. Bill Young VA Medical Center attempted suicide. Afterward, many co-workers who had no direct involvement in his medical care seemed to know about his attempt and asked how he was doing. Following an investigation, the VA's incident response team found that an employee had indeed inappropriately accessed the veteran's medical records "out of curiosity."
The problems were noted both within the VA's internal data and in letters sent by the Office for Civil Rights to the VA when it closed its complaint investigations. (Patients can complain to the VA, the Office for Civil Rights or both.)
Some VA employees have used their access to medical records as a weapon in disputes or for personal gain, incident reports show.
A patient treated at the West Virginia VA Medical Center had his medical records impermissibly accessed by co-workers of his wife. His records were then used against him during divorce proceedings, according to a May 2013 letter from the Office for Civil Rights.
A VA employee at C.W. Bill Young VA Medical Center suspected that his ex-girlfriend, a nurse at the facility, accessed his Social Security number from his confidential medical files in order to change his AT&T account information. He requested a list of everyone who had looked at his file, which revealed that his ex-girlfriend had accessed it 55 times. According to the Office for Civil Rights investigation letter from November 2012, the ex-girlfriend was suspended for 10 days and given training, and the incident was documented in her employment record.
As the VA's overall problems have mounted in the past couple of years — including long waits for care — some whistleblowers contend that HIPAA has been used as a sword against them. Some have reported being accused of violating HIPAA for collecting material to inform members of Congress about care problems at the VA. Others say their own medical records were looked at by co-workers and officials without their consent.
"This is a problem that is widespread throughout the VA," said Brandon Coleman, a VA whistleblower who testified before the Senate that his private medical records were inappropriately accessed by a co-worker. "I realized right away that she had no right to be in there. She had never treated me and had nothing to do with my medical care."
Coleman, an addiction therapist for the Phoenix VA Health Care System who is on administrative leave, said a social worker mentioned during a meeting in October 2014 that she had accidentally accessed his medical file a few months earlier. Coleman said he was horrified and filed a complaint with the privacy officer at the Phoenix VA.
Shortly after he came forward in December 2014 to the Office of Special Counsel, a federal office that handles whistleblower allegations for the VA, Coleman was placed on administrative leave for allegedly threatening other employees. While on leave, he discovered that yet another administrative officer at the VA, who also was not involved with his medical care, had accessed his health files after he filed his complaint with the Office of Special Counsel.
"They come up with ways to try to discredit you or say you are unfit for duty," said Coleman, who is still on leave nearly a year later. "There is zero accountability."
Another VA whistleblower, Dr. Katherine Mitchell, was inappropriately investigated for a privacy violation after she came forward with allegations of patient harm.
Mitchell, a physician who has worked at the VA for over 16 years, contacted the office of Sen. John McCain, R-Ariz., in 2013, alleging that the Carl T. Hayden VA Medical Center in Phoenix didn't provide adequate care for its suicidal veterans and that the hospital statistically manipulated its patient wait list.
Mitchell submitted a formal report through the senator's office, hoping that a congressional push would secure a review by the VA's inspector general. However, shortly after she submitted her request, she was placed on administrative leave and investigated for alleged privacy violations: Her superiors told her that she had violated privacy laws by accessing the records of the suicidal veterans she alleged had not received adequate care.
"It's not a violation to provide that information to your congressman to request an investigation into inappropriate behavior," said Mitchell, who believes that many whistleblowers are investigated for merely trying to bring attention to flaws in the system.
The VA's internal records indicate that its incident response team found that Mitchell accessed at least 15 patients' charts without "proper authorization." But a recent VA accountability review found that Mitchell's actions were indeed protected because she was acting as a whistleblower, and her placement on leave was deemed to be retaliatory.
"The management uses HIPAA rules inappropriately to prevent whistleblowers from speaking up," said Mitchell, who received the Office of Special Counsel's Public Servant award the year after her allegations. "If they don't report the cases, no one will investigate."
The experiences of Coleman and Mitchell were reflected in recent testimony from Carolyn Lerner, who heads the Office of Special Counsel. Lerner expressed concern that VA employees are accessing whistleblower medical records to discredit their claims. She emphasized that the VA should consider "system-wide corrective action" to better protect whistleblowers.
"Quite simply, it is too easy right now for a mischief-minded employee to enter the medical record system and access information on his or her co-workers," Lerner wrote in her written testimony. "A better 'lock' on the system would potentially eliminate, and certainly reduce, this problem."
Sen. Richard Blumenthal of Connecticut, the ranking Democrat on the Senate Committee on Veterans' Affairs, said he too is concerned about this.
"Nothing is more devastating and unconscionable than the misuse of power to subjugate legitimate complaints," he said in an interview. Blumenthal has proposed a bill, called the VA Patient Protection Act, which, among other things, would punish VA supervisors or employees who retaliate against whistleblowers.
"The VA still has a significant way to go in restoring trust and credibility," he added, "and part of that task is to take sufficient disciplinary action against wrongdoers so as to deter them and reassure all veterans that it has a very strict standard of accountability."
In its statement, the VA told ProPublica that it will not tolerate any retaliation "against those who raise issues which may enable VA to better serve Veterans."
"Complaints that VA receives from whistleblowers about inappropriate access to their health records are thoroughly investigated and appropriate actions are taken where warranted," said the VA.
This story is part of a yearlong examination into how secure medical privacy is. Has your medical privacy been compromised? Help ProPublica investigate by filling out a short questionnaire. You can also read other stories in our Policing Patient Privacy series.