The Department of Veterans Affairs admitted by press release that 46,000 veterans were victims of an agency data breach while withholding details that fired up some in Congress.
The agency’s press release stated, “A preliminary review indicates these unauthorized users gained access to the application to change financial information and divert payments from VA by using social engineering techniques and exploiting authentication protocols.”
Those impacted will likely receive the agency’s typical one year free credit monitoring to compensate veterans for the breach. “To protect these Veterans, the FSC is alerting the affected individuals, including the next-of-kin of those who are deceased, of the potential risk to their personal information. The department is also offering access to credit monitoring services, at no cost, to those whose social security numbers may have been compromised.”
The news preceded a curiously timed GAO report reminding everyone and their mom that VA still has not addressed “persistent” IT problems exposing veterans to risk titled, VA Needs to Address Persistent IT Modernization and Cybersecurity Challenges.
It appears the agency attempted to get in front of the report and accompanying testimony to the House Committee on Veterans Affairs delivered two days later.
Despite an annual IT budget of over of over $4 billion, “over many years, VA has experienced challenges in managing its IT projects and programs, raising questions about the efficiency and effectiveness of its Office of Information and Technology (OI&T) and its ability to deliver intended outcomes needed to help advance the department’s mission.”
The report and subsequent information about the reach suggested VA + Cybersecurity is actually an oxymoron when used in the same sentence.
The key IT systems addressed in the GAO report include:
- health information system, the Veterans Health Information Systems and Technology Architecture (VistA);
- program to support family caregivers; and
- benefits management system.
Do you know how much data is contained within these systems about each and every veteran receiving benefits?
Without mincing words, GOA concluded its report stating, “Further, the lack of key cybersecurity management elements at VA is concerning given that agencies’ systems are increasingly susceptible to the multitude of cyber-related threats that exist.”
In testimony to Congress, GAO stated that until VA ““rectifies reported shortcomings” in its security program it will “continue to have limited assurance” that its sensitive information is sufficiently locked down.
So, what is going on at a high level?
Here are some examples of what GAO found. It should not take a high IQ to figure out why taxpayers and veterans should be concerned:
- GAO has reported on the challenges in the department’s three previous unsuccessful attempts to modernize VistA over the past 20 years. However, VA has recently deployed a new scheduling system as part of its fourth effort to modernize VistA and the next deployment of the system, including additional capabilities, is planned in October 2020.
- VA had taken steps to address GAO’s recommendations from its 2014 report to implement a replacement system for the Family Caregiver Program. However, in September 2019, GAO reported that VA had yet to implement a new IT system that fully supports the Family Caregiver Program and that it had not yet fully committed to a date by which it will certify that the new IT system fully supports the program.
- In September 2015, GAO reported that VA had made progress in developing and implementing VBMS, but also noted that additional actions could improve efforts to develop and use the system. For example, VBMS was not able to fully support disability and pension claims, as well as appeals processing. GAO made five recommendations aimed at improving VA’s efforts to effectively complete the development and implementation of VBMS; however, as of September 2020, VA implemented only one recommendation.
VA is pumping money in every which way to fix longstanding IT challenges without properly addressing management of cybersecurity.
The data breach may be bigger than VA admitted initially.
In addition to the 46,000 veterans implicated, the compromise may implicate another 84 other systems that could be impacted by the same vulnerability. Among those impacted may also be 17,000 community care providers.
“This incident raises numerous concerns not just for this incident, but more broadly with how VA is approaching protecting the [Personal Identifiable Information] and other important data within its vast data systems and networks,” states the letter, signed by Democratic Ranking Member Jon Tester of Montana and others. “This is not a new vulnerability for VA. Rather, it is a long-standing weakness of the Department as identified by independent reviews conducted by the VA OIG and the Government Accountability Office (GAO) for more than 10 years.”
While VA now disputes the number of community care providers impacted, the agency admits that at least 13 were impacted with six where funds were diverted.
Why would VA fail to mention that its community care vendors were also victims of the cyber burglary scheme? Much less, with all the billions pounded into the IT program each year, why does VA continue to fail to fix known vulnerabilities?
Simple. There is no significant penalty for data breaches by US government agencies right now.
I remember an unfortunate turning point happened in 2012 from a decision by the Supreme Court.
Since that point, there is a widely held belief that the federal government can practically do whatever it wants with the data of the American public with little to no consequence.
This belief took off almost a decade ago with story of a pilot who’s sexual preference and medical data was improperly shared between federal governments resulting in significant embarrassment.
The pilot was homosexual and HIV positive.
In 2012, the Supreme Court held, in FAA v. Cooper, that individuals cannot receive damages from the government for emotional damages when the federal government violates their right to privacy. Instead, a claimant can only receive damages for actual damages, which is difficult to prove.
This position also apparently includes willful or intentional violations of the Privacy Act – – and I’ll let you figure out how that might impact actions by VA officials or private actors working in conspiracy with federal officials to exploit the private data of veterans and others.
In the Cooper dissent, Justice Sotomayor wrote:
“After today, no matter how debilitating and substantial the resulting mental anguish, an individual harmed by a federal agency’s intentional or willful violation of the Privacy Act will be left without a remedy unless he or she is able to prove pecuniary harm. That is not the result Congress intended when it enacted an Act with the express purpose of safeguarding individual privacy against Government invasion. And it is not a result remotely suggested by anything in the text, structure, or history of the Act. For those reasons, I respectfully dissent.”
Based on fallout from the Court’s decision, Senator Daniel Akaka (D-HI) attempted to pass a bill to short circuit the nature effect of this kind of lack of accountability without success.
About the bill, Akaka stated:
“Finally, it would address the Supreme Court’s ruling restricting Privacy Act remedies earlier this year that has by many experts’ accounts rendered the Privacy Act toothless. In Federal Aviation Administration v. Cooper, the Social Security Administration violated the Privacy Act by sharing the plaintiff’s HIV status with other federal agencies. The Court concluded that the plaintiff could not recover damages for emotional distress because Privacy Act damages are limited to economic harm. My amendment would heed the call of scholars across the political spectrum to amend the Privacy Act and fix this decision. It would also clarify that in the event of a federal violation in the information sharing title of the bill, a victim would be entitled to recovery for the same types of non-economic harms.”
Today, we have a VA that continually fails to protect the private data of veterans, much of which is still sensitive or even top secret. However, the federal government is unable to be properly held accountable for protecting our data without the small gift of one year of credit protection.
In light of President Donald Trump’s longstanding complaint against snooping, I would hope he would crack down on this kind of problem. Perhaps this kind of issue may be something he could get behind, and hopefully in the near term.