Vendor Breach Exposes PII of More than 7,000 VetsVeterans Affairs Learned of Incident in Early November
The Department of Veterans Affairs, in a cryptic message, disclosed a potential security flaw that exposed the personally identifiable information of 7,054 veterans in a patient database belonging to and managed by a vendor that provides home telehealth services to the VA.
The Dec. 24 statement said VA learned of the possible breach on Nov. 4. "An investigation was immediately initiated and security scans were conducted by VA, which confirmed the concern," a VA spokesperson said. "The contracted vendor has assured VA that only vendor staff and VA staff had accessed this information. The security flaw in the vendor database was immediately corrected and VA continues to closely monitor the application."
VA neither identified the contractor nor provided more details about the incident.
The spokesperson said VA notified the affected veterans and offered them credit protection. But don't expect many vets to take the VA up on the offer. In October, VA CIO Steph Warren said only 4 percent of veterans accept such offers (VA CIO Reveals Biggest Security Concerns).
The latest security incident pales when compared with past events. In 2013, Congress was told that hackers from overseas had repeatedly breached VA computers containing unencrypted data on some 20 million veterans (see VA Systems Hacked from Abroad). Eight years ago, a stolen laptop with unencrypted data contained the personally identifiable information on more than 26 million individuals (see 2006 VA Breach: Assessing the Impact).