Senators Demand More Details on VA BreachLawmakers Say 17,000 Healthcare Providers Affected; VA Disputes Claim
Several Senate Democrats are demanding answers from the Department of Veterans Affairs about its cybersecurity practices in the wake of a breach disclosed Monday that the VA says exposed data on 46,000 veterans but which the senators claim also apparently affected 17,000 healthcare providers. The VA, however, says far fewer providers were affected.
The VA on Monday said its Financial Services Center recently discovered that malicious actors gained unauthorized access to one of its applications to divert VA payments intended for community healthcare providers and money used to provide medical treatment to veterans. The compromised application has been taken offline, the VA said.
In a Wednesday letter to VA Secretary Robert Wilkie, the senators note that VA Office of Information and Technology officials briefed the Senate and House veterans' affairs committees, telling the lawmakers that approximately 17,000 VA community care providers who serve veterans were also affected.
But in a statement provided to Information Security Media Group on Friday, a VA spokesperson says: "17,000 community care providers used the application involved in the incident, but only 13 of those were impacted by the breach and just six had payments diverted. VA is working with those vendors to compensate the lost funds."
The VA is offering access to free credit monitoring services to veterans whose personal information may have been compromised, the statement adds.
"The department has made steady progress in improving cybersecurity by taking numerous actions to bolster VA's security posture, including revising policies, adding additional monitoring capabilities, and improving workforce incorporation of cybersecurity and privacy habits," according to the VA statement.
In their letter, the senators write: "Based on information currently available, it appears this cybersecurity incident was carried out by those able to find weaknesses in the way VA authenticates community care healthcare providers using VCAs [veterans care agreements] and processes payments for their services."
Veterans' Social Security numbers and other personally identifiable information likely were exposed, as well as bank account information "for thousands of community providers," the senators write.
The senators ask why the VA's public statement on Monday about 46,000 veterans being affected by the breach did not also disclose that thousands of healthcare providers were affected.
The Democrats who signed the letter are Jon Tester of Montana, the Senate VA committee ranking member, and other committee members, including Patty Murray of Washington, Sherrod Brown of Ohio, Richard Blumenthal of Connecticut, Mazie Hirono of Hawaii, Joe Manchin of West Virginia and Kyrsten Sinema of Arizona. Also signing were Margaret Hassan and Jeanne Shaheen, both of New Hampshire.
The VA breach "raises numerous concerns not just for this incident, but more broadly with how VA is approaching protecting the personally identifiable information and other important data within its vast data systems and networks," the senators write.
"This is not a new vulnerability for VA. Rather, it is a longstanding weakness of the department as identified by independent reviews conducted by the VA Office of Inspector General and the Government Accountability Office for more than 10 years. The information provided to Congress on this incident raises countless questions and does not instill confidence that VA is adequately addressing the current incident or working to better safeguard private information in the future."
The recent VA incident is the latest of many data breaches affecting the VA.
In May 2006, the VA reported a breach stemming from a stolen unencrypted laptop that contained information on more than 26 million individuals. Although the device was eventually recovered and the FBI determined that no personal information was inappropriately accessed, the VA agreed to pay $20 million to settle a breach-related lawsuit filed by veterans (see: 2006 VA Breach: Assessing the Impact).
In an October 2019 report, the VA Office of Inspector General said its review of the Milwaukee VA regional office found that veterans' sensitive personal information was left unprotected on two shared network drives (see: Veterans' Data at Risk on Shared Network Storage Devices).
Questions for VA
The senators ask the VA to provide:
- Details about the systems that the VA's Financial Services Center uses;
- An update on actions the VA is taking to ensure its community healthcare providers that their financial data will be secure;
- A description of who discovered the VA breach;
- Details on the VA's regular assessments of systems for vulnerabilities;
- Steps the VA will take to conduct more oversight of business rules, IT processes and cybersecurity protocols to identify additional potential vulnerabilities.
"This most recent data breach is unacceptable. It also exposes the fact that VA has not taken the necessary steps to ensure oversight, accountability and security of the vast financial, health and other personal data it collects and processes to perform its critical services for America's veterans," the senators write.
"Incidents such as these impact individual veteran's lives as well as those who partner with VA to provide services to them. It is imperative VA take aggressive and decisive action to address this current incident and lay out a strategy to prevent such problems from arising in the future."
Mike Weber, vice president of security consultancy Coalfire, says the biggest issue he's concerned with regarding the breach "is the way that the account information and personally identifiable information was being handled. It seems that this information was being shared in the course of completing transactions for healthcare - but it seems that the authentication of the entities was not sufficient."
Weber adds: "Years ago, a method of 'authentication' was merely providing your Social Security number to prove that you were who you claimed to be. I would surmise that there are other use cases within the VA that use limited or incomplete authentication information before sharing information in a business-to-business context, and I hope that the VA OIG investigation will suss that out."
To avoid being victimized by fraudsters in the wake of the incident, the affected provider organizations "should notify their associates that they may be targeted and ensure they are on their guard for requests to transfer funds and unexpected emails or phone calls," says Brett Bane, managing consultant at security consultancy Pondurance.
"They should also consider changing credentials they use to authenticate to the VA systems. And if those same usernames and passwords are used for other systems they use, such as email, their network or electronic medical records, they should change those as well. If possible, multifactor authentication should be turned on for remote access to all sensitive systems."