25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Department of Veteran Affairs Reports Breach of Payment System and Potential Theft of Veterans’ SSNs

Posted By on Sep 15, 2020

The U.S. Department of Veteran Affairs (VA) has experienced a data breach involving the personal information of around 46,000 veterans.

Hackers gained access to an online application used by the VA Financial Services Center (FSC) and attempted to divert payments sent by the VA to community care providers to pay for veterans’ medical care. Social engineering tactics were used, and authentication protocols were exploited to gain access to the application and change bank account information.

Upon discovery of the breach, the FSC took the payment processing application offline to prevent any further payments from being sent. It is unclear how many payments were sent before the cyberattack was discovered and whether the attack was detected in time to block fraudulent transfers. The FSC said the breached payment processing application will remain offline until the Office of Information Technology has performed a comprehensive security review.

The main purpose of the cyberattack appears to have been to divert payments; however, the personally identifiable information and Social Security numbers of around 46,000 veterans were stolen in the attack and could potentially be used for fraudulent purposes.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

All veterans whose information was potentially compromised in the attack have now been notified by mail and have been offered complimentary credit monitoring services. They have also ben provided with information on the steps they can take to protect against fraudulent use of their information.

The VA is currently undergoing a major update of its financial services system; however, there have been several delays and the project is not expected to be completed until 2030. The FTC recently issued a request for information seeking cybersecurity audit services. The cybersecurity audit is intended to address compliance, strategy, and sustainment, and as part of the audit, the contractor is required to “provide a gap analysis on which cybersecurity tools, processes, and controls the government should employ and provide recommendations of methods to improve visibility as well as incident response time following VA best practices.”

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist