VA Did Not Disclose Huge Data Breach for 7 Weeks

By Andy Arnold

The U.S. Department of Veterans Affairs (VA) announced a data breach seven weeks after it occurred in July, affecting the personal information of 46,000 veterans and as many as 17,000 community-care providers that administer health services to veterans.

But while agency officials said the lag was necessary to follow federal government protocols and to inform the affected vets, experts told Digital Privacy News that the notification was quick work on the VA’s part.

Rebecca Herold, CEO of the Privacy Professor consultancy in Des Moines, Iowa, called the seven weeks “reasonable.”

She said: “It often takes a lot of investigation into the situation, to be able to determine how the breach occurred to begin with — and then determine the other factors involved, and possibly other data that may have been compromised, to then provide the information necessary to those whose personal data was impacted, to understand and accurately communicate how the breach occurred, the extent of the breach.

“It often takes a lot of investigation into the situation.”

Rebecca Herold, Privacy Professor consultancy.

“This is especially true when humans were the weak point in a large organization where social engineering resulted in the breach,” Herold said.

VA’s Response

Christina Noel, a VA spokesperson, countered to Digital Privacy News: “VA adhered to all facets of the law, including … HIPPA and the HHS Office of Civil Rights requirements, when notifying veterans, vendors, Congress and the public.

“All communications were done in consultation with the Office of the Inspector General to avoid jeopardizing its ongoing investigation.”

The breach, announced Sept. 14, was discovered in July, when the agency’s Financial Services Center (FSC) had determined that one of its online applications was accessed by unauthorized users to divert payments to community health care providers for veterans’ medical treatment.

“All communications were done in consultation with the Office of the Inspector General.”

Christina Noel, Department of Veteran’s Affairs.

“The breached application was taken off-line on July 17,” Noel told Digital Privacy News. “VA’s Office of Information and Technology (OIT) and the FSC confirmed on July 20 that a breach had occurred.”

September News Release

But in the Sept. 14 news release on the breach, the VA announced that the veterans “had their personal information accessed.”

News reports also disclosed that members of Congress were briefed by VA officials on Sept. 8, six days before the announcement, citing “a congressional aide with knowledge of the phone call.”

However, a member of the Senate Veterans Affairs Committee, Sen. Marsha Blackburn, R-Tenn., told Digital Privacy News that she learned of the breach through the public disclosure.

“I learned of the breach through the VA’s press release,” Blackburn said. “My staff, along with the Veterans Affairs Committee staff, will receive a full readout of the VA Office of Information Technology comprehensive security review, once complete.

“We need to find out exactly what happened so that our veterans’ information is not at risk ever again.”

Sen. Marsha Blackburn, R-Tenn.

“We need to find out exactly what happened so that our veterans’ information is not at risk ever again,” Blackburn said.

Noel declined to comment on Blackburn’s accusations. 

But, according to the release, the VA’s Financial Services Center (FSC) determined that one of its online applications had been accessed by unauthorized users to divert payments to the community health care providers.

Preliminary Findings

A preliminary VA review indicated that the unauthorized users gained access to an application to change financial information and divert payments from the VA by using social engineering techniques and by exploiting authentication protocols.

Thirteen VA community care providers were affected by the attack, the VA’s Noel said. Six of the vendors had financial payments diverted — and the agency was working to compensate for the lost funds.

Out of an abundance of caution, Noel said the VA offered free credit-monitoring services to veterans whose personal information might have been compromised.

Andy Arnold is a Washington writer.

Sources (external links):