Hackers were able to divert payments headed to private sector health care providers.
Hackers attempting to steal money the Veterans Affairs Department was sending to private sector health care providers also scooped up the personal information of some 46,000 veterans.
According to an announcement put out Monday by VA, the department detected a breach of a payment processing system managed by the Financial Services Center after perpetrators were able to use social engineering to trick users into giving up their secure access information. The hackers were then able to use those credentials to gain access to the system and change billing information to “divert payments to community health care providers,” i.e. private sector, non-VA medical facilities.
After discovering the compromise, “The FSC took the application offline and reported the breach to VA’s Privacy Office,” the statement reads. VA officials said the affected system will remain offline until the Office of Information Technology can perform “a comprehensive security review.”
The incident is also being investigated by the VA inspector general, a department spokesperson told Nextgov.
While the hackers’ primary goal seems to be monetary, the personally identifiable information for some 46,000 veterans was exposed in the process. Compromised information included the veterans’ names, Social Security numbers and the claim number being processed, the spokesperson confirmed.
VA has sent letters to all of those affected by the breach, with instructions on how to protect their data and access to free credit monitoring services.
“There is no action needed from veterans if they did not receive an alert by mail, as their personal information was not involved in the incident,” according to the statement.
Health care providers affected by the system outage have been told to contact the FSC helpdesk for information on workarounds until the system is up and running again, the spokesperson said.
The breach announcement comes five weeks after FSC issued a request for information for cybersecurity audit services. The VA spokesperson confirmed that solicitation is directly related to this incident.
“The contractor shall provide a gap analysis on which cybersecurity tools, processes, and controls the government should employ and provide recommendations of methods to improve visibility as well as incident response time following VA best practices,” the RFI states.
VA officials declined to answer additional questions about the amount stolen, whether the compromised credentials belong to a government employee or contractor, or provide additional details about the nature of the social engineering that took place due to the inspector general investigation.
The agency is in the midst of a major overhaul of its financial services system projected to cost $2.5 billion by the time it’s finished.
In December, VA officials told members of the House Veterans Affairs Committee subcommittees on Technology Modernization and Oversight and Investigations that the project had seen significant delays and cost overages from the original plan, which would have cost $887 million and been completed by 2025.
Officials now say the project is on track to be completed by 2030 or sooner, if all goes well.
Editor's Note: This article was updated with comments from the Veterans Affairs Department spokesperson.