On September 14, 2020, the U.S. Department of Veteran Affairs made an announcement that it experienced a data breach that affected 46,000 veterans. A number of Senate Democrats now want answers from the VA regarding the breach and the cybersecurity procedures the VA has set up to avoid data breaches.
Hackers acquired access to a program that the VA’s Financial Services Center uses to transmit payments to community healthcare providers for the medical care of veterans. They rerouted six payments that were meant for community care providers to bank accounts under their control. The data of veterans stored in the system was also compromised and likely stolen.
Upon discovery of the breach, the VA’s Office of Information and Technology took the program offline and it won’t be available until a review is completed. VA offered the affected veterans free credit monitoring services and is presently taking care of the payments for the community care providers.
The VA Office of Information and Technology officials explained to the Senate and the House veterans’ affairs committees that the breach affected roughly 17,000 community care providers. The VA further explained that even though 17,000 community care providers are using the program, there were only 13 affected.
In a letter addressed to VA Secretary Robert Wilkie, Sens Patty Murray, John Tester, Sherrod Brown, Mazie K. Hirono, Richard Blumenthal, Joe Manchin III, Margaret Wood Hassan, Kyrsten Sinema, and Jeanne Shaheen depicted “serious concerns” regarding the VA’s ability to secure the data of veterans’ and community care providers and requested the VA to guarantee the capability of the department in protecting personal and financial information.
As per the currently available information, the Senators said that the hackers seem to know the flaws in the process used by the VA to authenticate community health care providers and send payments for their services. This cybersecurity incident raises several concerns not only for this occurrence, but also with the way VA is securing the PII and other vital information in its huge data systems and networks.
The Senators also pointed out that the hackers did not exploit a new vulnerability for VA. Third party reviews performed by the VA OIG and the Government Accountability Office (GAO) identified this long-standing weakness of VA in the past 10 years.
The Senators’ resource included two GAO reports from June and July 2019, which specifically gave VA several recommendations on cybersecurity, data protection and risk management. The VA is being required to give a report on the VA ’s efforts in implementing those recommendations.
The VA is being required to present a breakdown of all affected community care providers per state and to give details on what they are doing to guarantee the security of the personal and financial data of community care providers and veterans. The Senators would like to know who learned about the breach. Was it the VA or the VA Office of Inspector General? They also want details about the systems, which the VA Financial Services Center uses.
The Senators likewise brought up concern that the VA is in a reactive position awaiting for cybersecurity vulnerabilities to occur and would like to know what proactive checks were done to determine vulnerabilities, the regularity of those checks, and what measures the VA will consider to make sure increased monitoring of business regulations and IT and cybersecurity steps to make sure to identify vulnerabilities and addressed them before any exploitation.
Senators expressed their view about the unacceptability of this recent data breach. It shows that VA has not done enough to make sure of the proper monitoring, accountability, and protection of the financial, medical, and other personal information it records and processes to deliver essential services for the veterans of America. It is crucial for the VA to take extreme and definitive actions to deal with this present incident and develop a tactic to prevent the same problems in the future.