Editor’s Note: This story has been updated with a statement from the VA denying Senate Democrats’ claims.
A recent breach of veterans’ personal information may have also compromised the information of 17,000 community care providers, a point the Department of Veterans Affairs didn’t initially disclose when it announced the incident Tuesday, according to some Senate Democrats.
The additional 17,000 providers involved in the incident came to light in a letter Democrats on the Committee on Veterans’ Affairs sent Wednesday to VA leadership. In the letter, the senators expressed “serious concerns” over the VA’s cybersecurity and its lack of full transparency as to who was impacted by the data breach.
But a VA spokesperson pushed back on the senators’ allegations as not accurate. “17,000 community care providers used the application involved in the incident, but only 13 of those were impacted by the breach and just six had payments diverted,” said press secretary Christina Noel. “VA is working with those vendors to compensate the lost funds.”
The VA’s original disclosure earlier this week revealed 46,000 veterans a victims of the incident. The breach appears to have stemmed from unauthorized users accessing an application within the Financial Service Center (FSC) to steal payment away from community health care providers, the VA announced Tuesday.
“This incident raises numerous concerns not just for this incident, but more broadly with how VA is approaching protecting the [Personal Identifiable Information] and other important data within its vast data systems and networks,” states the letter, signed by Democratic Ranking Member Jon Tester of Montana and others. “This is not a new vulnerability for VA. Rather, it is a long-standing weakness of the Department as identified by independent reviews conducted by the VA OIG and the Government Accountability Office (GAO) for more than 10 years.”
The letter indicates that VA staff told the Senate the compromised FSC system operates under the same authority to operate as 84 other systems, raising the possibility that other systems could be vulnerable to further data breaches.
“It appears the Department remains in a reactive posture, waiting for cybersecurity or business rule vulnerabilities to arise,” the letter states. Many previous recommendations on how to improve the cybersecurity of the VA remain open and unresolved, the letter notes.
The VA, however, contends that “it has made steady progress in improving cybersecurity by taking numerous actions to bolster VA’s security posture, including revising policies, adding additional monitoring capabilities, and improving workforce incorporation of cybersecurity and privacy habits,” Noel said.
The letter also raised concerns about how impacted community care providers and veterans can get help. The VA’s initial press release directed those impacted to email or mail questions to the VA at a time when postal services have been overwhelmed and some veterans lack internet access.
“This most recent data breach is unacceptable. It also exposes the fact that VA has not taken the necessary steps to ensure oversight, accountability, and security of the vast financial, health, and other personal data it collects and processes to perform its critical services for America’s veterans,” the letter states.