The U.S. Department of Veteran Affairs (VA) has announced that the personal and protected health information of approximately 46,000 veterans has potentially been obtained by unauthorized individuals who were attempting to redirect VA payments to community healthcare providers.
The attack involved the use of social engineering techniques to obtain credentials for an application used by the VA’s Financial Services Center (FSC), with the attackers also exploiting authentication protocols to gain access the application.
Once authenticated, the attackers attempted to make changes to the bank account information of the community care providers to direct payments to accounts under their control. It is unclear how many fraudulent transfers were made before the breach was discovered. The payments to community healthcare providers were being made to pay for medical services for veterans.
In addition to rerouting some payments, veteran data that was accessible through the application were stolen, which included personal and financial data and Social Security numbers.
Upon discovery of the breach, the application was taken offline and is now being reviewed by the VA’s Office of Information and Technology. The application will remain offline until the review is completed.
Veterans affected by the breach are being notified by mail and complimentary credit monitoring services have been offered to individuals whose Social Security number was compromised in the breach.