46,000 veterans' personal information compromised in hack of VA system

Social security card
Photo credit Getty Images

About 46,000 veterans' personal information was compromised when a Department of Veterans Affairs online system was hacked, officials said Monday -- one of the worst data breaches for VA in the last decade.

The compromised data may have included social security numbers.

Veterans who were affected by the breach should be contacted by letter, with instructions on how to protect their information. If veterans do not receive an alert by mail, then their data wasn't involved and they don't have to take any action, VA said. 

Hackers broke into an online application for the VA Financial Services Center, intending to steal payments to VA-contracted community healthcare providers, the department said in a news release Monday. The center took that  payment system offline and a "preliminary review indicates these unauthorized users gained access ... to change financial information and divert payments from VA by using social engineering techniques and exploiting authentication protocols."

VA officials said the system won't go back online until it's a comprehensive security review by the department's IT office is complete. 

VA did not include details on what types of data were compromised, but said that it planned to offer free credit monitoring services "to those whose social security numbers may have been compromised." 

At least some of the veterans involved in the breach may be dead, and VA officials said they will be notifying next-of-kin in those cases. 

In the past 10 years, VA has had five other major data breaches in which more than 5,000 veterans’ data was compromised, according to documents obtained by Connecting Vets through Freedom of Information Act requests. The breaches have largely worsened over time including with the latest announced this week, though they remain a smaller percentage of the millions of records VA possesses. 

The latest breach affects about the same number of veterans as the next five largest breaches put together. 

  • 19,254 veterans in October 2018 
  • 7,029 in November 2014
  • 7,405 in February 2013
  • 5,126 in June 2011
  • 5,933 in April 2011

The first breach in 2011 and the 2018 breach both directly involved protected health information (PHI). The second breach in 2011 involved financial information and VA was required to offer credit monitoring to thousands of veterans.

More than 26 million veterans, troops and family members had their data compromised in 2006 after a VA worker's laptop was stolen. 

Government watchdogs and advocates have repeatedly warned that information security is a major challenge at VA. 

A VA Inspector General report released last year found that “veterans’ sensitive personal information was left unprotected” on two shared network drives accessible to veteran service organizations not connected to those veterans. 

Investigators “determined that mishandling this sensitive personal information was a national issue” in part because VA staff “failed to discover and remove any sensitive personal information stored on shared network drives.”

“Without better protection, veterans and VA are at risk,” the report said. “Veterans are at significant risk of unauthorized disclosure and misuse of their sensitive personal information. This has the potential to expose veterans to fraud and identity theft.”

Veterans or family members who receive notification that their personal information was affected can reach out to the Financial Services Center help desk directly at VAFSCVeteransSupport@va.gov or by mail

VA largely silent on measures to protect veterans' data. Here's who can access your records.

Information security is a 'major challenge' at VA, watchdogs tell Congress