Republican leadership on the House Oversight and Reform Committee has requested a briefing from Department of Veterans Affairs (VA) officials on the data breach that the agency disclosed last month.
In a letter to VA Secretary Robert Wilkie, Government Operations Subcommittee Ranking Member Jody Hice, R-Ga., requested a briefing on the data breach, announced by the VA on Sept. 14, that exposed the personal information of 46,000 veterans.
“Data breaches of any kind are concerning, but particularly so when the targeted data is held in trust by the U.S. Government and where it affects veterans,” wrote the lawmakers in the letter sent today. “Specifically, unauthorized users recently compromised an online application used to process payments to community health care providers for medical treatment of veterans. As such, we are writing to request more information on how the VA is protecting the personal information of veterans.”
As part of the breach, hackers used social engineering techniques to exploit authentication protocols and alter financial information. The criminals were then able to divert payments intended for community healthcare providers, as well as expose personally identifiable information (PII), including social security numbers. The lawmakers noted that upon learning about the breach, the VA did take “immediate steps” to “ensure the protection of affected veterans by initiating an investigation, ceasing access to the tampered online application, and alerting all individuals whose information was potentially at risk.”
In a press statement, the lawmakers praised the VA for taking quick action, but still want a briefing to discuss what future steps the VA will be taking to protect veterans’ personal information. The letter noted that this isn’t the only incident where veterans’ PII has been exposed.
“A recent investigation by the VA Office of Inspector General (OIG) found that some veterans’ sensitive personal information was left unprotected on shared network drives, potentially accessible by Veterans Service Organization officers who did not represent those veterans and had no need for such information,” the letter said.
GOP leadership is seeking answers to the following questions:
- When did the VA become aware of the data breach and what steps were taken to secure the affected application?
- How many unauthorized users were identified by the VA on the payment processing application?
- How long were veterans’ personal information potentially exposed to unauthorized users on the affected application?
- How did the VA determine the 46,000 veterans who were potentially affected and how are notifications being made to those veterans?
- What are the potential negative consequences for a veteran whose information was compromised in the breach?
- What steps is the VA taking to ensure that veterans’ personally identifiable information remains secure on VA data networks as well as VA online applications?