Hackers Divert VA Payments Intended for Healthcare ProvidersFraud Scheme Exposes Data of 46,000 Veterans
A security incident in which hackers used social engineering techniques to divert Department of Veterans Affairs payments intended for healthcare providers compromised the personal information of 46,000 U.S. veterans.
The VA's Financial Services Center discovered that malicious actors gained unauthorized access to one of its applications to divert payments to community healthcare providers and money used to provide medical treatment to veterans. The compromised application has been taken offline, the VA reports.
A preliminary investigation reveals that cybercriminals exploited authentication protocols and used social engineering techniques to access the application and then change the financial information of the accounts and divert payments, according to a VA statement.
The VA's office of information technology has shut off system access until a "comprehensive security review" is conducted, the statement notes.
Individuals whose data was breached are being notified, and the VA is offering free credit monitoring services to veterans whose Social Security numbers were compromised.
In a statement to Information Security Media Group, the VA says impacted personal information includes veteran names, Social Security numbers and claim numbers. "The breached application was taken off-line on July 17. VA's Office of Information and Technology and the FSC confirmed on July 20 that a breach had occurred," the VA explains.
However, the VA declined to disclose to ISMG whether any payments meant for healthcare providers were actually diverted, and if so, how much. "VA's independent inspector general is investigating this issue, and in order to protect the integrity of the investigation, VA can't comment further," the statement says.
Other Money Diversion Schemes
The healthcare sector has been hit by other money-diversion schemes. For example, last fall, UAB Medicine in Birmingham, Alabama, reported a phishing-related breach affecting nearly 20,000 individuals that attempted to divert payroll deposits.
"Information security is an arms race," says Mike Weber vice president of security consulting firm Coalfire. "As defensive techniques evolve, so do offensive techniques. Phishing has seen evolutions from simply emailing malware to account credential harvesting via 'trawling' to spear-phishing using a heavy dose of OSINT [open source intelligence]," he says.
Security incidents involving social engineering will continue to evolve, he says. "The next step in this attack vector could be combining approaches - like sending a well-crafted spear-phish and following it up with a phone call from the attacker to follow up on it, thereby enhancing the legitimacy of the attack and raising the probability of success."
Weber says organizations should take steps to help avoid falling victim to attempts by attackers to divert payments. "Just like two-factor authentication can defend against password attacks, two-person authorization for sensitive transactions is an effective old-school control," he notes.
"It's not appropriate for small transactions, though, as that would likely have serious impacts on the flow of business. It's hard to tell from the VA statement, but I would presume that this was a social engineering attack that gave the attacker access to a large swath of accounts at once, which one could consider a high-value, sensitive transaction."
Other VA Incidents
The VA incident is the latest of many data breaches in recent years involving the VA.
Back in May 2006, the VA reported a breach stemming from a stolen unencrypted laptop that contained information on more than 26 million individuals. Although the device was eventually recovered and the FBI determined that no personal information was inappropriately accessed, the VA agreed to pay $20 million to settle a breach-related lawsuit filed by veterans (see: 2006 VA Breach: Assessing the Impact).
In a report issued October 2019, the VA Office of Inspector General said its review of the Milwaukee VA regional office found that veterans' sensitive personal information was left unprotected on two shared network drives (see: Veterans' Data at Risk on Shared Network Storage Devices).
The latest VA incident "further underscores the need for federal systems to rapidly modernize IT security capabilities," says Tim Wade, technical director of the CTO team at the security firm Vectra. "Leadership at the top must take accountability, and cultural changes must occur, if we are to expect these patterns to abate."
Some security experts say government and private-sector organizations alike need to step up their defenses against socially engineered schemes - especially in light of the large remote workforce during the COVID-19 pandemic.
"Entities should initiate or ramp up their security awareness programs to educate and remind remote workers that they are at increased risk of being targeted," says Cindy VanBree, senior security consultant at the consultancy Pondurance.
"There are a number of very effective social engineering testing products available that simulate a phishing attempt and provide real-time feedback for workers who take the bait," she notes.
VanBree also suggests that IT departments "provide workers a way to report suspected social engineering attempts."