Share this article on:
A database containing the personal and protected health information of almost 200,000 U.S. military veterans has been discovered to be accessible online by security researcher Jeremiah Fowler.
The database was identified on April 18, 2021 and a review identified references to a company called United Valor Solutions. Jacksonville, NC-based United Valor Solutions is a contractor of the Department of Veterans Affairs (VA) that provides disability evaluation services for the VA and other government agencies. The database – which contained veterans’ names, dates of birth, contact information, medical information, appointment information, unencrypted passwords, and billing information – could be accessed without a password. The database could have been viewed and downloaded by anyone and information in the database altered or deleted.
Fowler notified United Valor Solutions about the exposed data breach. The company replied the following day confirming the exposed database had been reported to its contractors and public access had been shut down. It is unclear for how long the database was exposed; however, United Valor Solutions said the database only appeared to have been accessed by internal IP addresses and Fowler’s.
Fowler said he found evidence of a ransomware attack. Within the dataset was a message titled “Read_me” which claimed that records had been downloaded and would be exposed if a 0.15 Bitcoin ransom was not paid.”
According to Threatpost, which first reported the story, the VA has been investigating the incident and that it appears to have been related to penetration testing. Reginald Humphries, director of IT strategic communication at the Office of Information and Technology at the VA provided a statement: “It appears that a researcher was attempting to find security deficiencies and flaws in United Valor Solutions systems. At this time, we do not believe there was a data breach but rather this was done for research purposes, at the request of the contractor, United Valor Solutions.” The VA investigation into the incident is ongoing.
Additional Individuals Impacted by Insider Atascadero State Hospital Breach
A breach previously reported by the California Department of State Hospitals (DSH) has affected more individuals than previously thought. The breach, which was identified on February 25, 2021, involved improper medical record access by a former employee.
The breach was initially thought to have involved the records of 1,415 patients and former patients, 617 employee names, the personal and protected health information of 1,735 employees, and information about 1,217 job applicants who had not been successful in gaining employment.
Further investigations into the improper access revealed the personal information of a further 80 individuals was accessed, including addresses, phone numbers, email addresses, social security numbers, dates of birth, and driver’s license numbers. The immigration information of 38 individuals, employment-related health information of 81 individuals who had with applied for work, had been employed, or were former employees, and 20 individuals’ dates of birth and the last four digits of their Social Security numbers were also accessed.
The employee concerned has been placed on administrative leave while the case is investigated. The California Highway Patrol is assisting the DSH with the investigation.