VA Cybersecurity

Hackers Exploit Known VA Cybersecurity Weaknesses In Massive Data Breach

The Department of Veterans Affairs admitted by press release that 46,000 veterans were victims of an agency data breach while withholding details that fired up some in Congress.

The agency’s press release stated, “A preliminary review indicates these unauthorized users gained access to the application to change financial information and divert payments from VA by using social engineering techniques and exploiting authentication protocols.”

Subscribe to our weekly newsletter and stay up to date.
 

Those impacted will likely receive the agency’s typical one year free credit monitoring to compensate veterans for the breach. “To protect these Veterans, the FSC is alerting the affected individuals, including the next-of-kin of those who are deceased, of the potential risk to their personal information. The department is also offering access to credit monitoring services, at no cost, to those whose social security numbers may have been compromised.”

The news preceded a curiously timed GAO report reminding everyone and their mom that VA still has not addressed “persistent” IT problems exposing veterans to risk titled, VA Needs to Address Persistent IT Modernization and Cybersecurity Challenges.

It appears the agency attempted to get in front of the report and accompanying testimony to the House Committee on Veterans Affairs delivered two days later.

RELATED: Senate Passes $55 Billion VA IT Reform

Despite an annual IT budget of over of over $4 billion, “over many years, VA has experienced challenges in managing its IT projects and programs, raising questions about the efficiency and effectiveness of its Office of Information and Technology (OI&T) and its ability to deliver intended outcomes needed to help advance the department’s mission.”

The report and subsequent information about the reach suggested VA + Cybersecurity is actually an oxymoron when used in the same sentence.

The key IT systems addressed in the GAO report include:

  1. health information system, the Veterans Health Information Systems and Technology Architecture (VistA);
  2. program to support family caregivers; and
  3. benefits management system.

Do you know how much data is contained within these systems about each and every veteran receiving benefits?

Without mincing words, GOA concluded its report stating, “Further, the lack of key cybersecurity management elements at VA is concerning given that agencies’ systems are increasingly susceptible to the multitude of cyber-related threats that exist.”

RELATED: VSOs Support McCain’s VA Privatization

In testimony to Congress, GAO stated that until VA ““rectifies reported shortcomings” in its security program it will “continue to have limited assurance” that its sensitive information is sufficiently locked down.

So, what is going on at a high level?

Here are some examples of what GAO found. It should not take a high IQ to figure out why taxpayers and veterans should be concerned:

  • GAO has reported on the challenges in the department’s three previous unsuccessful attempts to modernize VistA over the past 20 years. However, VA has recently deployed a new scheduling system as part of its fourth effort to modernize VistA and the next deployment of the system, including additional capabilities, is planned in October 2020.
  • VA had taken steps to address GAO’s recommendations from its 2014 report to implement a replacement system for the Family Caregiver Program. However, in September 2019, GAO reported that VA had yet to implement a new IT system that fully supports the Family Caregiver Program and that it had not yet fully committed to a date by which it will certify that the new IT system fully supports the program.
  • In September 2015, GAO reported that VA had made progress in developing and implementing VBMS, but also noted that additional actions could improve efforts to develop and use the system. For example, VBMS was not able to fully support disability and pension claims, as well as appeals processing. GAO made five recommendations aimed at improving VA’s efforts to effectively complete the development and implementation of VBMS; however, as of September 2020, VA implemented only one recommendation.

VA is pumping money in every which way to fix longstanding IT challenges without properly addressing management of cybersecurity.

The data breach may be bigger than VA admitted initially.

In addition to the 46,000 veterans implicated, the compromise may implicate another 84 other systems that could be impacted by the same vulnerability. Among those impacted may also be 17,000 community care providers.

“This incident raises numerous concerns not just for this incident, but more broadly with how VA is approaching protecting the [Personal Identifiable Information] and other important data within its vast data systems and networks,” states the letter, signed by Democratic Ranking Member Jon Tester of Montana and others. “This is not a new vulnerability for VA. Rather, it is a long-standing weakness of the Department as identified by independent reviews conducted by the VA OIG and the Government Accountability Office (GAO) for more than 10 years.”

While VA now disputes the number of community care providers impacted, the agency admits that at least 13 were impacted with six where funds were diverted.

Why would VA fail to mention that its community care vendors were also victims of the cyber burglary scheme? Much less, with all the billions pounded into the IT program each year, why does VA continue to fail to fix known vulnerabilities?

Simple. There is no significant penalty for data breaches by US government agencies right now.

I remember an unfortunate turning point happened in 2012 from a decision by the Supreme Court.

Since that point, there is a widely held belief that the federal government can practically do whatever it wants with the data of the American public with little to no consequence.

This belief took off almost a decade ago with story of a pilot who’s sexual preference and medical data was improperly shared between federal governments resulting in significant embarrassment.

The pilot was homosexual and HIV positive.

In 2012, the Supreme Court held, in FAA v. Cooper, that individuals cannot receive damages from the government for emotional damages when the federal government violates their right to privacy. Instead, a claimant can only receive damages for actual damages, which is difficult to prove.

This position also apparently includes willful or intentional violations of the Privacy Act – – and I’ll let you figure out how that might impact actions by VA officials or private actors working in conspiracy with federal officials to exploit the private data of veterans and others.

In the Cooper dissent, Justice Sotomayor wrote:

“After today, no matter how debilitating and substantial the resulting mental anguish, an individual harmed by a federal agency’s intentional or willful violation of the Privacy Act will be left without a remedy unless he or she is able to prove pecuniary harm. That is not the result Congress intended when it enacted an Act with the express purpose of safeguarding individual privacy against Government invasion. And it is not a result remotely suggested by anything in the text, structure, or history of the Act. For those reasons, I respectfully dissent.”

Based on fallout from the Court’s decision, Senator Daniel Akaka (D-HI) attempted to pass a bill to short circuit the nature effect of this kind of lack of accountability without success.

About the bill, Akaka stated:

“Finally, it would address the Supreme Court’s ruling restricting Privacy Act remedies earlier this year that has by many experts’ accounts rendered the Privacy Act toothless. In Federal Aviation Administration v. Cooper, the Social Security Administration violated the Privacy Act by sharing the plaintiff’s HIV status with other federal agencies. The Court concluded that the plaintiff could not recover damages for emotional distress because Privacy Act damages are limited to economic harm. My amendment would heed the call of scholars across the political spectrum to amend the Privacy Act and fix this decision. It would also clarify that in the event of a federal violation in the information sharing title of the bill, a victim would be entitled to recovery for the same types of non-economic harms.”

Today, we have a VA that continually fails to protect the private data of veterans, much of which is still sensitive or even top secret. However, the federal government is unable to be properly held accountable for protecting our data without the small gift of one year of credit protection.

Big whoop.

In light of President Donald Trump’s longstanding complaint against snooping, I would hope he would crack down on this kind of problem. Perhaps this kind of issue may be something he could get behind, and hopefully in the near term.

Similar Posts

23 Comments

  1. I saw this on a news crawl last week, and the first thing that came to my mind was wondering if the hacked parties were working from home.
    Keep your heads on swivel folks and trust no one!

    OT
    I just need to put my foot down on some comments in the last article, from those that want to abandon Ben’s page over possible political articles he may post. Well bye-ya then! The US Constitution (and The Bill of Rights) is the bread and butter of our citizenship and the way of life we all enjoy, ONLY because we few signed the line and swore the oath to protect her.

    It is outrageous in my thought process to even consider that Veteran’s issues and programs, Military issues of all stripes and flavors, and even including world events, would have no need for discussion on these pages. Granted those issues have little bearing on VocRehab but, the same could be said about many topics that Ben has chosen for discussion on HIS blog! I am not advocating for a snipe-fest over whose opinion gets the most political loyalty likes. POTUS is CIC and like it or not, the triad of power and also his cabinet, are the deciders of what trickles into the lives of the pawns that must suck it up for meager wages.

    How long ago did JoeB… vote to bring China into WTO! Think about how many American Cos. now owe their souls to China. What has that decision actually done for American labor and the cost of living financials across the board. Is it justifiable that CEO’s of American Cos. with foreign factories and their laborers, have $M-$B salaries while American laborers can’t even get by on minimum wages? And if you think that is okay, then you are likely ignorant about Aus. life today. China has a large investment in Aus. ports and infrastructure. What happens when the loans can’t be repaid? There are four states in Aus. and they are all under Martial Law. No one can even go to their job without showing ‘zee papers’, and far too much else is going on to mention here. Do some research is all I can say. Here’s one I’ll give you: they haven’t legally had personal firearms in twenty years.

    Who are the enforcers during Martial Law? Clue: it’s not the police that the programmed rioting followers want to defund. Your Veteran status to afford you any favors.

    I have postulated on strategy in some of my previous postings. Anyone that understands pattern and strategy can get a glimpse of how the future could play out with either party in the power position. Right now, this country is forced by the MSM reports to play this stupid game of “opinionated divide & conquer” In order to keep the grazers from seeing the whole picture of life as it is becoming for all of us. Now here’s a civics question for you: if neither candidate is in the top seat, who gets the prize? And, is that really the person you want to conduct the orchestra? Do you realize that FEMA is dictating nationwide power at this time? Please do some research. Six months is up. MSM isn’t updating us on the topic.

    This is not the time to remain a single issue voter. Everyone should consider several main issues and do a pro vs. con T-chart before making a deciding vote. Global politics has to be a major factor in the decision making, and yes, that means doing some research and in some cases it means looking at the outcomes of prior administration’s decisions and how they are effing us up today and in the future. Remember the weapons buy-back that was tried here? The car buy-back to cement the engines forcing more computerized vehicles to be produced by the bailed out industry? We can’t leave out medical tyranny. How many more of these forgotten “little” big things can you come up with to reconsider?

    If you follow any type of team required projects, be it military, sports, business, politics, whatever, you know that the finest line of the outcome depends heavily on the activities behind the scene, as well as the strength of each link of the chain through the execution. In this last two months away from Ben’s articles, I have done copious research on some of the behind the scenes activities and the outcomes that have transpired during this administration. I feel I can rest assured that the monkey-shines & guffaws MSM prefers to report are just that, and I am confident in the real and important work that has been and is being done for our national security.

    Oh, isn’t this just lovely!”https://www.military.com/daily-news/2020/09/18/no-more-drill-sergeant-shark-attack-army-moves-toward-kinder-basic-training-start.html” Do all of the ‘panty-waists’ also get to leave BOOT CAMP with a participation trophy?

    This video might have relevant info for our K2 Veterans. If you aren’t familiar with Brad’s site, be advised that his trademark is to use a push-button bomb explosion effect aurally and visually in response to “Heads-Up” info.
    The Secret Base Is Killing Veterans | Dropping Bombs Podcast (Ep 301) Ft. Mark T. Jackson”https://www.youtube.com/watch?v=OcdDBFpMTMk”
    “Mark T. Jackson is an Army combat veteran, Federal agent, and veterans advocate. Earlier this year, he became a lobbyist, provocateur, and advocate for veterans of a small, secret base once located in southern Uzbekistan called K2.”…

    These two articles just hit home for me, even though they are written by a retired GP in England. “http://www.vernoncoleman.com/over60.htm” & “http://www.vernoncoleman.com/notfree.htm”; I can’t help but see the the similarities. He is also known as “the old man in a chair”, re: his well-known YTvids.

    1. I found this”https://www.askwoody.com/2020/get-a-password-protected-zip-file-attachment-just-say-emotet/”, and again, I have concerns where employees that handle others’ private/sensitive information are allowed to “work from home”. It is difficult enough for corporate IT’s to maintain any secure environment as it was before “lockdown”. What controls are steadfastly in place to guarantee that same level of security at a worker’s “home”.
      Early in “lockdown”, I made a business call that would require voicing sensitive information. The receiver of that call was on speaker-phone, admittedly working from “home” and trying to assure me they were alone. Secure? I don’t think so!
      Be careful out there!

  2. I have a rare form of muscular dystrophy. For 2 years every time I tried to get home based primary care i was told i was going to be placed in a 24 hour a day care hospice facility. It was not time for hospice. Each time i said “Not no, but hell no!” I was told just think of it as skilled nursing care. I said, “Well I’m sure not getting that here.” Last year I had a sudden decline in my health. My civilian doctor told me I was end stage and needed to get my affairs in order. I had changed primary care doctors at the VA. When I met with my new pcp I told her I was end stage. She said to come back in 6 months. I asked her if this was her way of saying she didnt want to see me again because the odds were I would live tha long. I needed to be seen much sooner. She said she WASN’T ALLOWED to see patients more than every 6 months, but I could see her nurse in 3 months. Are you kidding me?!? Thank God I have Medicare and can go outside the VA to get real healthcare.

  3. I’ve been getting harassing PM, Night, Weekend phone calls for years – when I tell someone, I’m poo-pooed.
    When the Military changed from using issued ID numbers to Social Security Numbers and then Insurance Companies took over health care, lives changed forever.
    In Oct68 I was admitted to the VAMC MPLS for treatment of a shotgun wound (on Apr27,1968, 4 months after discharge, I put a long barreled over/under shotgun to my neck, using ruler to push the trigger – ruler slipped, pushing the barrel onto my left chest as it went off ) I asked for a Blood Lead Level because the remnants of the buckshot remained in my chest/shoulder. “Lead is inert and won’t hurt you.” As a Nuclear Medicine Technologist I knew the dangers, but needed the health care. In 2015 a private doc asked me if I had a Blood Lead Level done because of all the lead in me – “No” – two days later the Minnesota Health Department called telling me to get to an emergency room ASAP because my Blood Lead Level was in the toxic range. I took the info to my Primary Care at the VA “Oh, a blood test”, she sent me to a Hematologist “I don’t know anything about this, but we’ll just repeat the test next month”. The story gets weirder, but right now my teeth are rotting out, my heart is in permanent aFib, Neuropathy has taken my touch feeling and weakened my muscles, my bones break and won’t heal, my left arm is gone, I can’t walk, I am incontinent, and am “just a whining psych patient”. I have lead poisoning that is evident both by blood and the buckshot seen on xray – no Toxicologist at the VA and Private ones won’t take me because I’m not a baby chewing on paint or a drug addict – I have lost the ability to add & subtract, etc – BUT, I was blessed with a good brain and so far am not giving up on the hope that there may be someone that wants to learn while I’m alive what lead (Pb) can do to the body –
    Thank You for “listening”

  4. When did breach occur? My direct deposit info was changed & my July 2018 VA comp payment went somewhere else. I changed my banking info & eventually received my payment.
    A TV reporter from Colorado Springs did a story about it after he was contacted by a veteran that had the same story as I. His report said it costs over $1 billion for the incident, the $$$ lost to the crooks plus the repayment to the vets.

  5. Hey, speaking of lax oversight, how about that $2 trillion that was laundered, flagged, and not enforced by the greatest cuntry in the universe? Gets me all flag wavy.

  6. Cheyenne v.a. rated 2 out of 5 stars by Inspector General in late 2018.

    Complexity rating a 3 which is the lowest possible. Means they have extremely limited capability.

    Lab results way off the scale for me and they could give a shit BUT don’t!!!

    I have a rare blood disorder (double jeopardy because blood too thick and too thin at the same time – I could bleed to death if cut, surgeons complain I bleed way too much during surgeries) and they flat out refuse to send me downtown to a credible hematologist.

    Benjamin Krause, if you want a story come to Cheyenne, WY and investigate this SHITHOLE of a medical facility!

    1. I am one of the 46,000 veterans. When I discovered what occurred, you can imagine how I felt. Of course, no one at the VA cares. They all just shrug their shoulders and say “not my fault” or “not my problem.” This fiasco is just another item to add to the list regarding the ways the VA has made my life worst. I lost all faith in the VA a while ago. I wish they would come right out and say they hate veterans. It is obvious by the way they treat us.

  7. Thanks Benjamin,
    I am pleased you are back. I hope situations are improving.
    And, “Hello” to everyone on this blog.
    🇺🇸🗽

    1. Same song different day.
      Kind of strange that in 2019, they were quick to dump veterans health information into the public health exchanges with lack of privacy and now in 2020, they are crying victimhood from the hackers.
      Benjamin, it seems like the people in the VA cannot make up their minds on which side of the position they are on. They are on both sides of the fence. They want it all the ways. From the VA perspective, they believe the more dysfunction they have means even more money coming their way. Hands out to the President and the Congress all the time. Good question? Where is the money going? I sure have not experienced any of it to help me land more substantive employment. Hell, I have been reluctant to go back because I was and am tired of straightening up and correcting behind them. Please either DOJ start holding people accountable or just shutdown the government. Because it does not serve anyone. Besides the power belongs to the people not the government. This country is run by the people, i.e., production, manufacturing, construction, growing, innovation, building, and supplying. The government just sits there and spends money to infinity with no accountability and plus just continues to print money which goes back to Henry Kissenger and Nixon involving the oil from the middle East. Has to do with the central banking system and the federal reserve. Globalists. Sad.

  8. I’d like to know “Where is all that taxpayers monies going?”

    There’s been many articles out, which I couldn’t post here, from *”military dot com”* that explores how vets are not being treated well at a number if VA facilities.
    Did you know a fed court in West Virginia just tried a serial killer working at a VA hospital?
    Or,
    How about changes in Tri-Care?

    Y’all might want to subscribe to military dot com for more information affecting your rights!

    1. Here’s another article;
      *”https://www.military.com/daily-news/2020/09/21/house-plan-avoid-government-shutdown-includes-money-2-nuclear-submarines.html”*

    2. That so-called veteran’s site banned many of us on their forums in the past and still cannot get subbed to their news. If we were discussing wrongs and problems with the VA we were censored than banned by the new moderators and rulers there.

      That said, in my state and town there is no such thing as HIPPA laws adhered to. VA retaliation has continued to this day with civilian care being no better. Been years dealing with trying to get copies of my own health care from a civy hospital and what the VA sent to them.. won’t happen. The staff and CEO of the hospital refuses to even forward any records elsewhere for care and the MDs I have tried to see report they cannot request my files, I have to sign the forms (done three times with no results) and their records department have to then send them per my request. Which has been denied since like 2015. Veteran’s groups like the medical boards think this is funny like the legal system here does, along with all others.

      Sue Bozgoz is a ADA that is also out showing how corrupt the entire system is… bottom to top.

      I was told not to expect any kind of “privacy” in today’s world by hospital staff. “People do talk and countless people have access to our files.”

      This is not the first of any leaking and won’t be the last. The world already has any info on us they desire.

  9. Too many systems that do not talk to each other. Trying to link them opens doors.

    Cheaper and better to implement one universal system and close all the doors to the others. Do it with software not hardware. Hardware companies trying to lock in forever contracts is the problem. An apple anyone?

Comments are closed.