HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Senators Demand Answers from VA on 46,000-Record Data Breach

On September 14, 2020, the U.S. Department of Veteran Affairs announced it had suffered a data breach that had impacted 46,000 veterans. Several Senate Democrats are now demanding answers from the VA on the breach and the cybersecurity measures the VA has put in place to prevent data breaches.

Hackers gained access to an application used by the VA’s Financial Services Center to send payments to community healthcare providers to pay for veterans’ medical care. Six payments intended for community care providers were redirected to bank accounts under the control of the hackers and veterans’ data in the system was exposed and potentially stolen.

When the breach was discovered, the application was taken offline and will remain down until a full review has been conducted by the VA’s Office of Information and Technology. Affected veterans have been offered complimentary credit monitoring services and the VA is currently working on compensating the community care providers whose payments were redirected.

Officials at the VA Office of Information and Technology told Senate and House veterans’ affairs committees that approximately 17,000 community care providers were affected by the breach, although the VA has now said that while 17,000 community care providers use the application, only 13 were affected.

Please see the HIPAA Journal Privacy Policy

In a letter to VA Secretary Robert Wilkie, Sens John Tester, Patty Murray, Sherrod Brown, Richard Blumenthal, Mazie K. Hirono, Joe Manchin III, Kyrsten Sinema, Margaret Wood Hassan, and Jeanne Shaheen expressed “serious concerns” about the ability of the VA to protect veterans’ and community care providers’ data and called for the VA to provide assurances that the department is capable of safeguarding personal and financial data.

“Based on information currently available, it appears this cybersecurity incident was carried out by those able to find weaknesses in the way VA authenticates community care health care providers using VCAs and processes payments for their services,” said the Senators.

“This incident raises numerous concerns not just for this incident, but more broadly with how VA is approaching protecting the PII and other important data within its vast data systems and networks,” wrote the Senators. “This is not a new vulnerability for VA. Rather, it is a long-standing weakness of the Department as identified by independent reviews conducted by the VA OIG and the Government Accountability Office (GAO) for more than 10 years.”

The Senators reference two GAO reports from June 2019 and July 2019 that make several recommendations for agencies on cybersecurity, risk management and data protection, including recommendations specifically for the VA. They have called for the VA to provide information on the current status of the VA’s efforts to implement those recommendations.

The Senators have called for the VA to provide a state-level breakdown of all impacted community care providers and to provide information on the steps that have been taken to assure community care providers and veterans that their personal and financial data will be secure. The Senators want to know who discovered the breach – whether it was the VA or the VA Office of Inspector General. They also requested information on the systems used by the VA Financial Services Center.

The Senators also raised concern that the VA is in a reactive posture waiting for cybersecurity vulnerabilities to arise and want to know what proactive assessments have been conducted to identify vulnerabilities, the frequency of those assessments, and what steps the VA will take to ensure greater oversight of business rules and IT and cybersecurity processes to ensure vulnerabilities are identified and addressed before they are exploited.

“This most recent data breach is unacceptable. It also exposes the fact that VA has not taken the necessary steps to ensure oversight, accountability, and security of the vast financial, health, and other personal data it collects and processes to perform its critical services for America’s veterans,” wrote the Senators. “It is imperative VA take aggressive and decisive action to address this current incident and lay out a strategy to prevent such problems from arising in the future.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.