Senators Probe VA After Data Breach Affecting 46K Veterans, Providers

September 22, 2020 - A group of Democratic Senators led by Jon Tester, D-Montana, is demanding answers from the Department of Veterans Affairs after a reported data breach that impacted the personal and health information of about 46,000 veterans and 17,000 community care providers.

A VA Spokesperson, however, refuted claims asserted in the letter sent to the agency and said that "in reality, only 13 community care providers were impacted by the breach and just six had payments diverted."

On September 14, VA officials reported that a hacker gained access to the online applications of its Financial Services Center and diverted payments intended for community healthcare providers for the medical treatment of veterans. 

The application was taken offline, and a preliminary analysis found that hackers used the application to change financial information, by leveraging social engineering and exploiting authentication protocols. Officials said the site will remain offline until they’ve completed a security assessment of the apps. 

According to the Department of Health and Human Services breach reporting tool, the Veterans Health Administration reported that 44,308 patients were affected by the hack. 

READ MORE: New Malware Campaign Targets Unpatched Windows Vulnerabilities

The letter explained that it appears the hackers took advantage of weaknesses in the VA’s authentication tools, which led to the exposure of Social Security numbers, bank account information, and other personal data. The Senators have asked the VA to detail what they’re calling an “unacceptable breach.” 

“It also exposes the fact that VA has not taken the necessary steps to ensure oversight, accountability, and security of the vast financial, health, and other personal data it collects and processes to perform its critical services for America’s veterans,” Tester wrote to VA Secretary Robert Wilkie. 

“Incidents such as these impact individual veteran’s lives as well as those who partner with VA to provide services to them,” he added. “It’s imperative VA take aggressive and decisive action to address this current incident and lay out a strategy to prevent such problems from arising in the future.” 

For the Senators, the breach exposes whether the VA is adequately protecting the data within its data systems and networks as the exploited vulnerability was not new to the agency. 

A recent GAO report detailed systemic security weaknesses and found that the VA’s IT systems could not sufficiently support critical services, like healthcare. Despite having an IT budget of $4 billion annually, the agency has struggled to modernize its IT system and programs. 

The watchdog found several key vulnerabilities posing a serious risk to the VA infrastructure:  the VA health information system known as the Veterans Health Information Systems and Technology Architecture (VistA), a system for its Family Caregiver Program, and the Veterans Benefit Management System (VBMS), which collects and stores data used for processing disability claims. 

“VA has made progress toward improving its licensing of software and achieving its goals for closing unneeded data centers. However, the department has made limited progress toward addressing requirements related to IT investment risk management and Chief Information Officer authority enhancement,” officials explained. 

“Since fiscal year 2016, GAO has reported that VA faces challenges related to effectively implementing the federal approach to, and strategy for, securing information systems; effectively implementing information security controls and mitigating known security deficiencies; and establishing elements of its cybersecurity risk management program,” they added. 

In light of the breach and ongoing IT and security challenges, the Senators demand the agency explain several key concerns that will allow for appropriate oversight of VA cybersecurity, risk management, and veteran data protection. 

The VA is asked to provide a state-level breakdown of the 17,000 providers impacted by the breach, as well as the action the agency is taking to reassure those providers that it’s safe to do business with the VA and that their financial data is secured. 

The Senators are also inquiring whether the VA discovered the breach or if it was found by the VA Office of the Inspector General, as well as details into the 85 different VA Financial Services Center (FSC) systems operating under Authority to Operate, including the breached Customer Engagement Portal. 

Notably, the agency was asked to explain its “reactive posture, waiting for cybersecurity or business rule vulnerabilities to arise.” The Senators also asked for the VA’s proactive assessment of system vulnerabilities in business rules, including its frequency. 

Noting an August 7, 2020 Request for Information that sought cybersecurity auditing services, the VA must also explain why the VA has not yet conducted an assessment for the FSC given the RFI “reflects a lack of very basic internal capabilities at the FSC.” 

Further, the Senators are asking how many VA organizations, like the VHA, also need a similar cybersecurity review of system vulnerabilities, as well as why the onus for these reviews falls on those departments rather than being led by the VA Office of Information and Technology and whether these tasks can be performed in-house. 

“Veterans who rely on VA for health care and providers who do business with VA need assurance that the department is capable of safeguarding their personal and financial data,” the Senators wrote. “Anything less is completely unacceptable.” 

The Senators do not give a deadline for the agency’s response, but instead asked for a prompt reply. It’s the second VHA security incident reported in the last year. In October 2019, a VA OIG audit report showed the sensitive personal information of veterans was exposed online on two shared VA network drives, putting those patients at risk of identity theft or fraud.