HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Department of Veteran Affairs Reports Breach of Payment System and Potential Theft of Veterans’ SSNs

The U.S. Department of Veteran Affairs (VA) has experienced a data breach involving the personal information of around 46,000 veterans.

Hackers gained access to an online application used by the VA Financial Services Center (FSC) and attempted to divert payments sent by the VA to community care providers to pay for veterans’ medical care. Social engineering tactics were used, and authentication protocols were exploited to gain access to the application and change bank account information.

Upon discovery of the breach, the FSC took the payment processing application offline to prevent any further payments from being sent. It is unclear how many payments were sent before the cyberattack was discovered and whether the attack was detected in time to block fraudulent transfers. The FSC said the breached payment processing application will remain offline until the Office of Information Technology has performed a comprehensive security review.

The main purpose of the cyberattack appears to have been to divert payments; however, the personally identifiable information and Social Security numbers of around 46,000 veterans were stolen in the attack and could potentially be used for fraudulent purposes.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

All veterans whose information was potentially compromised in the attack have now been notified by mail and have been offered complimentary credit monitoring services. They have also ben provided with information on the steps they can take to protect against fraudulent use of their information.

The VA is currently undergoing a major update of its financial services system; however, there have been several delays and the project is not expected to be completed until 2030. The FTC recently issued a request for information seeking cybersecurity audit services. The cybersecurity audit is intended to address compliance, strategy, and sustainment, and as part of the audit, the contractor is required to “provide a gap analysis on which cybersecurity tools, processes, and controls the government should employ and provide recommendations of methods to improve visibility as well as incident response time following VA best practices.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.