The U.S. Department of Veterans Affairs notified its beneficiaries on Monday that a data breach has exposed the personal information of approximately 46,000 veterans.
According to the VA’s Office of Management, an online application used by the agency’s Financial Services Center was accessed by unauthorized users in an attempt to divert payments to community care providers for veterans’ treatment.
A preliminary review from the VA’s Privacy Office suggests that hackers used social engineering techniques and exploited authentication protocols to gain access to the app change financial information to divert those payments.
“To prevent any future improper access to and modification of information, system access will not be reenabled until a comprehensive security review is completed by the VA Office of Information Technology,” according to the VA.
The Financial Services Center says it is alerting the affected individuals, including the next-of-kin of those who are deceased, of the potential risk to their personal information.
“There is no action needed from Veterans if they did not receive an alert by mail, as their personal information was not involved in the incident,” officials said.
The VA is also offering access to credit monitoring services, at no cost, to those whose social security numbers may have been compromised.
Social engineering techniques have long been atop the list of concerns for security professionals, given how easy it can be to entice an unsuspecting employee to click a link they shouldn’t.
“From a social engineering standpoint, it has never been easier to trick employees,” as former White House CIO Theresa Payton has said.
Still, she explained, “humans are not the weakest link. Technology is open to be hacked and data can never be 100 percent secure. We have to design for the human.”
Healthcare IT News is a HIMSS Media publication.