– A group of Democratic Senators led by Jon Tester, D-Montana, is demanding answers from the Department of Veterans Affairs after a reported data breach that impacted the personal and health information of about 46,000 veterans and 17,000 community care providers.
On September 14, VA officials reported that a hacker gained access to the online applications of its Financial Services Center and diverted payments intended for community healthcare providers for the medical treatment of veterans.
The application was taken offline, and a preliminary analysis found that hackers used the application to change financial information, by leveraging social engineering and exploiting authentication protocols. Officials said the site will remain offline until they’ve completed a security assessment of the apps.
According to the Department of Health and Human Services breach reporting tool, the Veterans Health Administration reported that 44,308 patients were affected by the hack.
The letter explained that it appears the hackers took advantage of weaknesses in the VA’s authentication tools, which led to the exposure of Social Security numbers, bank account information, and other personal data. The Senators have asked the VA to detail what they’re calling an “unacceptable breach.”
READ MORE: Watchdog Finds VA Mishandled Sensitive Veterans Health Data
“It also exposes the fact that VA has not taken the necessary steps to ensure oversight, accountability, and security of the vast financial, health, and other personal data it collects and processes to perform its critical services for America’s veterans,” Tester wrote to VA Secretary Robert Wilkie.
“Incidents such as these impact individual veteran’s lives as well as those who partner with VA to provide services to them,” he added. “It’s imperative VA take aggressive and decisive action to address this current incident and lay out a strategy to prevent such problems from arising in the future.”
For the Senators, the breach exposes whether the VA is adequately protecting the data within its data systems and networks as the exploited vulnerability was not new to the agency.
A recent GAO report detailed systemic security weaknesses and found that the VA’s IT systems could not sufficiently support critical services, like healthcare. Despite having an IT budget of $4 billion annually, the agency has struggled to modernize its IT system and programs.
The watchdog found several key vulnerabilities posing a serious risk to the VA infrastructure: the VA health information system known as the Veterans Health Information Systems and Technology Architecture (VistA), a system for its Family Caregiver Program, and the Veterans Benefit Management System (VBMS), which collects and stores data used for processing disability claims.
READ MORE: New Malware Campaign Targets Unpatched Windows Vulnerabilities
“VA has made progress toward improving its licensing of software and achieving its goals for closing unneeded data centers. However, the department has made limited progress toward addressing requirements related to IT investment risk management and Chief Information Officer authority enhancement,” officials explained.
“Since fiscal year 2016, GAO has reported that VA faces challenges related to effectively implementing the federal approach to, and strategy for, securing information systems; effectively implementing information security controls and mitigating known security deficiencies; and establishing elements of its cybersecurity risk management program,” they added.
In light of the breach and ongoing IT and security challenges, the Senators demand the agency explain several key concerns that will allow for appropriate oversight of VA cybersecurity, risk management, and veteran data…
Read More: Senators Probe VA After Data Breach Affecting 46K Veterans, 17K Providers