Health Data of Millions of Veterans Potentially Exposed in Cyberattack on VA Vendor
In a significant breach of data security, the personal health information of a potentially vast number of U.S. veterans is at risk following a cyberattack on a key vendor for the Department of Veterans Affairs (VA). VA Secretary Denis McDonough revealed the concerning development during his monthly news conference, highlighting the scale and seriousness of the incident attributed to Change Healthcare, a major player in healthcare payment processing.
According to McDonough, Change Healthcare, deemed the largest payment processor in the U.S. healthcare system, raised the alarm about a compromise that could have broadly exposed sensitive data. “A substantial proportion of people in America could have had some information leaked,” McDonough disclosed, underscoring the gravity of the situation and the broad implications for data privacy.
The VA has been actively seeking further details from Change Healthcare and is not postponing steps to secure veterans’ data and provide necessary support. “We are not waiting for that confirmation,” McDonough emphasized, signaling the VA’s proactive stance in responding to the breach.
Change Healthcare plays a pivotal role in facilitating healthcare transactions. By acting as an intermediary, it allows clinics, pharmacies, and community healthcare providers to submit claims for services rendered to VA patients. These claims are processed through a portal managed by Change Healthcare, ensuring smooth payment transactions.
The nature of the breach was identified as a “malicious criminal cyberattack” by United HealthGroup, the parent company overseeing Change Healthcare operations. After conducting an audit, the company reported that an initial review of their systems unveiled files containing protected health information (PHI) or personally identifiable information (PII), implicating a significant portion of the American populace.
Importantly, the company has found no evidence to suggest that comprehensive medical histories or detailed doctor’s charts were extracted from its databases. The perpetrators behind the cybersecurity threat were pinpointed as a criminal organization deploying ransomware to compromise United HealthGroup’s security measures.
The initial repercussions of the cyberattack were felt in February when the VA experienced disruptions in payment processing and delays in prescriptions for veterans relying on VA health services. McDonough reassured that the incident had “impacted a good number of our IT functions, community care payment processes among them,” but affirmed the restoration of many affected capabilities.
Further addressing concerns about potential impacts on patient care, McDonough clarified that patient services were not compromised by the breach. Efforts have since escalated to restore all IT functionalities fully and fortify security mechanisms to safeguard veteran data from similar threats.
In a gesture of responsibility, veterans affected by the breach have been offered two years of complimentary credit monitoring, a service funded by Change Healthcare. Additionally, the VA is extending resources to veterans to aid in identity theft prevention and combat fraud.
As more information unravels about the extent of the breach, McDonough assured that timely updates would be communicated to relevant stakeholders, including Congress, veterans service organizations, and directly to veterans. “We are committed to transparency and moving quickly to provide full support for protecting veterans and their data,” McDonough emphasized, reiterating the VA’s dedication to maintaining the trust and security of America’s veterans in the wake of this significant data security challenge.
