This story was updated a third time on Friday, Sept. 18 at 2:30 p.m. with additional comments from the Department of Veterans Affairs.
This story was updated a second time on Friday, Sept. 18 at 12:30 p.m. with additional information from congressional aides.
This story was updated on Thursday, Sept. 17, 2020 at 7:20 p.m. with a statement from the Department of Veterans Affairs. VA did not immediately return a request to explain the wide discrepancy in accounts about the number of impacted community care providers.
The data breach the Department of Veterans Affairs announced earlier this week exposed personal information for 46,000 veterans, but it also hit several thousand community care providers that supplement the agency’s medical program.
Approximately 17,000 community care providers that provide health services to veterans were also victims of the breach, Democrats on the Senate Veterans Affairs Committee said Wednesday.
Officials had briefed members of the House and Senate veterans committees about the VA data breach.
“Based on information currently available, it appears this cybersecurity incident was carried out by those able to find weaknesses in the way VA authenticates community care health care providers using veterans care agreements and processes payments for their services,” senators, led by committee ranking member Jon Tester (D-Mont.), said in a letter to VA Secretary Robert Wilkie.
VA on Thursday evening pushed back against the senators’ account but provided little clarification.
“There were 13 VA community care providers involved in this incident, not 17,000. VA will reimburse those vendors who had payments diverted,” Christina Noel, a department spokeswoman said in an email to Federal News Network.
The department on Friday afternoon later clarified: “17,000 community care providers used the application involved in the incident, but only 13 of those were impacted by the breach and just six had payments diverted,” Noel said. “VA is working with those vendors to compensate the lost funds.”
VA officials briefed members of Congress about the data brief on Sept 8, according to a congressional aide with knowledge of the phone call. The department identified 17,000 community care providers and doctors, as well as 46,000 veterans who had information in the compromised system.
As with most data breaches, the pool of potentially impacted people fluctuates over time, as investigations unfold and victims discover direct evidence of misuse, identity theft or even stolen information.
The congressional aide said VA was trying to downplay its standard protocol of identifying every individual whose personal information was potentially compromised, including the 17,000 community care providers who were in the risk pool.
The department on Monday declined to elaborate on the specific system that had been breached or the timing of the incident, citing an ongoing investigation of the VA data breach from its inspector general.
But in their letter to Wilkie, Senate Democrats said the department’s customer engagement portal was the site of the VA data breach. The portal was one of 85 different systems under a single authority to operate (ATO), which VA’s Financial Services Center manages.
The Financial Services Center provides administrative and financial management services to VA and other federal agencies and is one of three enterprise services within the department’s franchise fund.
“Are you concerned that VA’s Office of Management, responsible for ‘oversight of VA’s internal control program and compliance with improper payments legislation as well as prevention of fraud, waste, and abuse’ is the organization where this data breach occurred?” the senators said. “What additional steps have you directed to ensure OM reviews all relevant protocols, organizational structures, and oversight mechanisms to ensure such an incident does not reoccur?”
Senate Democrats said they were supportive of the IG investigation. But they questioned VA’s track record with handling past cybersecurity incidents and securing the department’s vast trove of data.
“This is not a new vulnerability for VA,” Tester and his committee colleagues wrote. “Rather, it is a long-standing weakness of the department as identified by independent reviews conducted by the VA OIG and the Government Accountability Office for more than 10 years. The information provided to Congress on this incident raises countless questions and does not instill confidence that VA is adequately addressing the current incident or working to better safeguard private information in the future.”
According to the senators, the officials from VA’s Office of Information and Technology who briefed them said the data breach was the responsibility of the department’s Financial Services Center.
“This most recent data breach is unacceptable,” senators wrote. “It also exposes the fact that VA has not taken the necessary steps to ensure oversight, accountability and security of the vast financial, health, and other personal data it collects and processes to perform its critical services for America’s veterans. Incidents such as these impact individual veteran’s lives as well as those who partner with VA to provide services to them. It is imperative VA take aggressive and decisive action to address this current incident and lay out a strategy to prevent such problems from arising in the future.”
In a lengthy list of questions for the department, senators pointed to a 2019 GAO report, which offered four recommendations for VA’s cybersecurity and enterprise risk management programs.
Specifically, GAO recommended VA establish a requirement and process for conducting an organization-wide cybersecurity risk assessment. VA told GAO last summer it would have those plans in place by June 2020.
“The department has made steady progress in improving cybersecurity by taking numerous actions to bolster VA’s security posture, including revising policies, adding additional monitoring capabilities and improving workforce incorporation of cybersecurity and privacy habits,” Noel, the VA spokeswoman, said.
VA is currently knee-deep in several IT modernization projects, including a decade-long effort to adopt a new, commercial electronic health record and achieve interoperability with the Pentagon. The department has spent much of the pandemic rapidly expanding its telework and telehealth capacity and adding new digital tools for veterans to more easily connect with VA.
On Wednesday, it described the latest project: an overhaul to the IT systems the Veterans Benefits Administration uses to process education and housing claims under the GI bill.