A cybersecurity breach at the Department of Veterans Affairs has potentially exposed personnel information for 46,000 veterans, the agency said Monday in a statement.
The breach involved an online application that appeared to handle medical payments of some kind. VA declined to comment on the details of the breached system or the timing of the incident.
“VA’s independent inspector general’s investigator is investigating that issue, and in order to protect the integrity of the investigation can’t comment further,” Christina Noel, a VA spokeswoman, told Federal News Network in an email.
Based on a preliminary review from VA’s Privacy Office, unauthorized users gained access to the application and changed financial information to divert payments from the department to community care health providers “using social engineering techniques and exploiting authentication protocols.”
VA’s Office of Information and Technology will complete a security review before turning the breached system back online, the department said.
VA is alerting impacted veterans, including their family members or next-of-kin, about the data breach, the department said. It will offer free credit monitoring services to those whose Social Security numbers have potentially been compromised.
Veterans will receive more information by mail, which will include instructions on the steps they can take to protect their personal data. Veterans who don’t receive any alert from the department were not impacted by the recent data breach, VA said.
The VA data breach is relatively small compared to those that other federal agencies have experienced in recent years.
The Defense Information Systems Agency reported a data breach earlier this year, which impacted 200,000 people.
Security research firm Comparitech counted at least 443 data breaches among government agencies and military branches between 2014 and 2018. The Office of Personnel Management’s 2015 breaches impacted nearly 21.5 million federal employees, retirees and others. A 2018 data breach at the U.S. Postal Service affected nearly 60 million record holders.
OPM is obligated by law to provide up to $5 million in free identity theft and credit monitoring services to those impacted by its 2015 cybersecurity breaches through at least 2025, though the Government Accountability Office has questioned whether such services provide limited value.
While there have been fewer major data breaches among federal agencies over the past few years, the risk continues to be significant. A report by the Senate Homeland Security and Governmental Affairs Committee from last summer found eight agencies were at risk of a data breach because they didn’t comply with federal cybersecurity standards.