This story was updated a second time on Friday, Sept. 18 at 12:30 p.m. with additional information from congressional aides.
This story was updated on Thursday, Sept. 17, 2020 at 7:20 p.m. with a statement from the Department of Veterans Affairs. VA did not immediately return a request to explain the wide discrepancy in accounts about the number of impacted community care providers.
The data breach the Department of Veterans Affairs announced earlier this week exposed personal information for 46,000 veterans, but it also hit several thousand community care providers that supplement the agency’s medical program.
Approximately 17,000 community care providers that provide health services to veterans were also victims of the breach, Democrats on the Senate Veterans Affairs Committee said Wednesday.
Officials had briefed members of the House and Senate veterans committees about the VA data breach.
“Based on information currently available, it appears this cybersecurity incident was carried out by those able to find weaknesses in the way VA authenticates community care health care providers using veterans care agreements and processes payments for their services,” senators, led by committee ranking member Jon Tester (D-Mont.), said in a letter to VA Secretary Robert Wilkie.
VA on Thursday evening pushed back against the senators’ account.
“There were 13 VA community care providers involved in this incident, not 17,000. VA will reimburse those vendors who had payments diverted,” Christina Noel, a department spokeswoman said in an email to Federal News Network.
She did not immediately return an request from Federal News Network to explain the vast discrepancy between the two figures.
VA officials briefed members of Congress about the data brief on Sept 8, according to a congressional aide with knowledge of the phone call. The department identified 17,000 community care providers and doctors, as well as 46,000 veterans who had information in the compromised system.
As with most data breaches, the pool of potentially impacted people fluctuates over time, as investigations unfold and victims discover direct evidence of misuse, identity theft or even stolen information.
The congressional aide said VA was trying to downplay its standard protocol of identifying every individual whose personal information was potentially compromised, including the 17,000 community care providers who were in the risk pool.
VA reiterated on Thursday evening it’s offering access to free credit monitoring services for veterans whose information may have been compromised.
The department on Monday declined to elaborate on the specific system that had been breached or the timing of the incident, citing an ongoing investigation of the VA data breach from its inspector general.
But in their letter to Wilkie, Senate Democrats said the department’s customer engagement portal was the site of the VA data breach. The portal was one of 85 different systems under a single authority to operate (ATO), which VA’s Financial Services Center manages.
The Financial Services Center provides administrative and financial management services to VA and other federal agencies and is one of three enterprise services within the department’s franchise fund.
“Are you concerned that VA’s Office of Management, responsible for ‘oversight of VA’s internal control program and compliance with improper payments legislation as well as prevention of fraud, waste, and abuse’ is the organization where this data breach occurred?” the senators said. “What additional steps have you directed to ensure OM reviews all relevant protocols, organizational structures, and oversight mechanisms to ensure such an incident does not reoccur?”
Senate Democrats said they were supportive of the IG investigation. But they questioned VA’s track record with handling past cybersecurity incidents and securing the department’s vast trove…
Read More: VA data breach also hit 17,000 community care providers, senators say