Contractor security flaw puts data of 7,000 veterans at risk

The Veterans Affairs sustained another data breach, putting more than 7,000 veterans at risk of identity theft. A VA spokesman said in an email that a potential flaw in one of its patient databases managed by a vendor to provide home telehealth services may have exposed personal information of veterans. The contractor alerted VA on Nov. 4 of the potential security flaw. VA says more than 690,000 veterans took advantage of the national telehealth program in 2014. “An investigation was immediately initiated and security scans were conducted by VA, which confirmed the concern,” the spokesman said. “The contracted vendor has assured VA that only vendor staff and VA staff had accessed this information. The security flaw in the vendor database was immediately corrected and VA continues to closely monitor the application.” The spokesman said VA takes seriously its obligation to protect veteran information and has notified and offered credit protection to all 7,054 veterans in the database. VA says the type of security flaw was one that could have exposed veterans’ data, including name, address, date of birth, phone number and VA patient identification number, via the Internet. The spokesman didn’t name the contractor involved in the data breach. The spokesman said VA’s policy requires notification of a breach to veterans within 60 days — though the department averages 28 days — and then alerts other stakeholders, including Congress, about the possible breach. The 60-day notification requirement is not standard across the government. There are an assortment of laws and policies that govern how quickly agencies need to report data breaches. The Office of Management and Budget’s 2009 guidance requires agencies to report cyber attacks to the U.S. Computer Emergency Readiness Team (U.S-CERT) within one hour. Congress recently changed the Federal Information Security Management Act to require agencies to report cyber attacks and breaches within seven days to their appropriate congressional committees. This latest data breach continues to add to a growing list of challenges VA faces. Even though this was a contractor database and not one run by the department, the potential flaw puts veterans at continued risk. VA officials and House Veterans Affairs Committee members continue to be at loggerheads over whether the agency is doing enough to secure its systems and data. Officials say it’s spending an additional $60 million on cybersecurity efforts in fiscal 2015, and it’s making progress using advanced network security tools and continuous monitoring techniques. But lawmakers are unhappy with VA’s communication and timely response to dozens and dozens of questions asking for details and information on just how the agency is protecting its systems. Most recently, Rep. Jackie Walorski (R- Ind.) wrote to Secretary Bob McDonald asking for more details about how VA is ensuring the security of its eBenefits system, which suffered a hack in January. VA isn’t alone in facing challenges to ensure contractor systems are secure. The Thrift Savings Board and the Homeland Security Department suffered similar breaches over the last few years. The Government Accountability Office in August reviewed how six agencies — the departments of Energy, Homeland Security, State and Transportation and the Office of Personnel Management and the Environmental Protection Agency — ensured contractors protected federal data. Auditors found the six agencies had at least partially implemented governmentwide policies to ensure the oversight of federal data in contractor systems. But GAO said five of the six agencies were inconsistent in overseeing the execution and review of those assessments. RELATED STORIES: Cyber attack against TSP contractor exposes thousands of accounts Data breach puts DHS employees at risk of identity theft VA Cyber Efforts in the Hot Seat VA bringing latest cyber tools to bear to improve network defenses One year later, House lawmakers dissatisfied with VA’s handling of eBenefits cyber breach VA building on MyHealtheVet successes with mobile apps

Media Galleries