DoD officials said the agency will revamp its online databases for the Servicemembers Civil Relief Act (SCRA) after allegedly exposing millions of soldiers’ and veterans’ personal information to identity thieves and scammers.
The decision comes after the Department of Defense (DoD) settled a lawsuit brought by Vietnam Veterans of America where veterans’ private data was “easily accessible on the internet to anybody at all, anonymously, for any purpose.”
What you are about to read should give you pause when considering the Department of Veterans Affairs’ new plan to share veterans’ health information on the third-party Health Information Exchange without consent.
SCRA Database Practices
Attorneys representing VVA argued the DoD should have been more aggressive in how it safeguarded the private information. The databases in question have been in operation since 1985. They allowed private businesses to review data to verify troops’ military status for eligibility to the SCRA.
“Veterans are not a product. We will not let those who have exploited our defenders go unpunished,” VVA national president John Rowan said in a statement. “Monetizing our service members by sharing their personal information for profit while compromising their identities is despicable and damaging to our national defense.”
VVA sued DoD in August 2017 because the agency was allegedly violating the Privacy Act as well as the Federal Information Security Modernization Act, which limits an agency’s use of an individual’s Social Security Number.
The website handled 2.3 billion requests per year according to DoD statistics and allowed a single user to make up to 12.5 million queries each day.
VVA was concerned the few restrictions on-site usage opened the door to cybercriminals and terrorists who could anonymously access the data.
“Particularly for special ops people, this is really dangerous. That’s why it’s a matter of national security that this thing is so loosey-goosey,” Rick Weidman, VVA’s director for policy and government affairs said in an interview with Federal News Network shortly after the lawsuit’s filing. “You don’t know who’s pulling your information because they don’t track it.”
VVA produced evidence by way of example where one veteran, co-plaintiff Thomas Barden, was victimized by scammers using information from the SCRA website to gain his confidence.
They claimed to be employed by Microsoft to purportedly diagnose problems Barden had with his computer. The information they gleaned from the SCRA website helped them convince Barden of their legitimacy.
According to Barden, the scammers eventually gained remote access to his computer and tried to gain access to his bank accounts. When Barden grew suspicious and refused, the scammer then locked down the computer and demanded a ransom payment.
Thoughts On Data Sharing
These agencies have repeatedly struggled to protect private data about veterans and servicemembers for years with the number of data breaches seemingly on the rise coinciding with the increase in usage of third-party vendors.
I encourage readers to go into the web to find stories about VA, DoD, or SSA failing to adequately safeguard sensitive records belonging to Americans. Report back here with what you find.
So, what do you think? Move forward with Health Information Exchanges without knowing more about safeguards? Or, should we put a halt to the process until the government explains how it will prevent the previous breaches under the new system.