Today, Subcommittee on Government Operations Ranking Member Jody Hice (R-Ga.) and Committee Republicans sent a letter to U.S. Department of Veteran Affairs (VA) Secretary Robert Wilkie requesting a briefing on a recent VA data breach that exposed the personal information of 46,000 veterans.
“Data breaches of any kind are concerning, but particularly so when the targeted data is held in trust by the U.S. Government and where it affects veterans,” wrote the lawmakers. “Specifically, unauthorized users recently compromised an online application used to process payments to community health care providers for medical treatment of veterans. As such, we are writing to request more information on how the VA is protecting the personal information of veterans.”
The unauthorized users exploited authentication protocols to alter financial information, diverting payments intended for community healthcare providers and exposing personally identifiable information. Upon learning of the breach, the VA took immediate steps to ensure the protection of affected veterans by initiating an investigation, ceasing access to the tampered online application, and alerting all individuals whose information was potentially at risk. Although the lawmakers commend the VA for their quick response, Ranking Member Hice and Oversight Republicans are calling for a briefing on what future steps the VA will be taking to protect veterans’ personal information.
Dear Secretary Wilkie:
The House Committee on Oversight and Reform Republicans are conducting oversight of a recent data breach at the U.S. Department of Veterans Affairs (VA). On September 14, 2020, the VA announced a data breach involving the personal information of 46,000 veterans. Specifically, unauthorized users recently compromised an online application used to process payments to community health care providers for medical treatment of veterans. As such, we are writing to request more information on how the VA is protecting the personal information of veterans.
The VA’s investigation thus far indicates that unauthorized users gained access through social engineering techniques and by exploiting authentication protocols to change financial information and divert payments from the VA that were intended to reimburse community health care providers. Apparently, these unauthorized users were also able to access personally identifiable information of veterans receiving care from community health care providers, including social security numbers.
Upon discovering the data breach, the VA appears to have immediately initiated an investigation, took the application offline, and made a public announcement. The VA is also alerting affected individuals of the potential risk to their personal information through a letter mailer and is offering free credit monitoring services to individuals whose social security numbers were compromised.
Although we commend the VA for its apparent quick response in taking the application offline and investigating the breach, as well as its efforts to notify affected individuals, we are concerned about veterans’ personal information being vulnerable and the potential consequences data breaches such as this have on affected veterans.
This issue is not unique to the VA’s online applications. A recent investigation by the VA Office of Inspector General (OIG) found that some veterans’ sensitive personal information was left unprotected on shared network drives, potentially accessible by Veterans Service Organization officers who did not represent those veterans and had no need for such information. Although no known data breaches occurred as a result, the VA did concur with all the OIG’s recommendations and implemented a corrective action plan.
Data breaches of any kind are concerning, but particularly so when the targeted data is held in trust by the U.S. Government and where it affects veterans. To that end, we request a staff-level briefing by the VA sufficient to answer the following questions:
- When did the VA become aware of the data breach and what steps were taken to secure the affected application?
- How many unauthorized users were identified by the VA on the payment processing application?
- How long were veterans’ personal information potentially exposed to unauthorized users on the affected application?
- How did the VA determine the 46,000 veterans who were potentially affected and how are notifications being made to those veterans?
- What are the potential negative consequences for a veteran whose information was compromised in the breach?
- What steps is the VA taking to ensure that veterans’ personally identifiable information remains secure on VA data networks as well as VA online applications?
This briefing may be conducted remotely for convenience. To schedule the briefing or ask any follow-up or related questions, please contact Committee on Oversight and Reform staff at (202) 225-5074.
The Committee on Oversight and Reform is the principal oversight committee of the U.S. House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X. Thank you in advance for your cooperation with this inquiry.
Subcommittee on Government Operations
Committee on Oversight and Reform
Glenn S. Grothman
Subcommittee on National Security
Subcommittee on Economic and Consumer Policy
Subcommittee on Civil Rights and Civil Liberties
Mark E. Green, M.D.
Subcommittee on Environment
Paul A. Gosar, D.D.S.
Virginia A. Foxx
Ralph W. Norman
Carol D. Miller
Fred B. Keller