An online application handling medical payments for the Department of Veterans Affairs was breached, potentially exposing the personal information of 46,000 members. More details on the Veterans Affairs breach are discussed below.
Veterans Affairs Breach: What Happened?
On September 14, 2020, the Veterans Health Administration reported a network server breach to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). A preliminary investigation conducted by the VA’s Privacy Office found that hackers accessed their network to change financial information with the intention of diverting payments meant for community care health providers. The compromised system has been taken offline until the VA’s Office of Information Technology completes their security review.
“VA’s independent inspector general’s investigator is investigating that issue, and in order to protect the integrity of the investigation can’t comment further,” stated Christina Noel, a VA spokeswoman.
Although it appears as though hackers were not targeting protected health information, some Social Security numbers were exposed. Patients that had their Social Security numbers compromised will receive free credit monitoring services. Impacted patients will receive a breach notification letter from the VA with instructions on how to protect their personal information.
How the Breach Could Have Been Prevented
The hacker that accessed the Veterans Health Administration network server most likely started their attack off by sending phishing emails to an employee of the VA. Phishing emails are emails that are sent disguised as a trusted entity, prompting recipients to click on a malicious link, or provide sensitive information such as login credentials. Phishing emails are becoming more sophisticated and harder to recognize, making it more important than ever to train employees on how to recognize them.
There are some indicators that are easy to recognize, such as poor grammar, receiving an email from an email address without a company domain, or an email that contains a generic greeting. However, other indicators are harder to recognize such as a minor misspelling in an email address or a URL that redirects to a malicious website. To check if an email address is correct, it is important to hover over the email address and carefully check the spelling before opening the email. The same can be done for a URL; before clicking on a URL, hover over the link to double check that it is going to a legitimate site. Other email best practices include never providing personal information through an email, and never opening an unsolicited email attachment.
