The Department of Veterans Affairs (VA) experienced yet another healthcare data breach, as it announced last week that approximately 7,000 veterans’ information was potentially exposed after a contractor’s database flaw.
The VA was notified of the incident on Nov. 4, and said that it was due to a potential flaw in a vendor’s system, according to Federal News Radio. The VA told the news source that the vendor was supposed to provide home telehealth services to veterans. More than 790,000 veterans reportedly took advantage of this program in 2014.
“An investigation was immediately initiated and security scans were conducted by VA, which confirmed the concern,” the spokesman said. “The contracted vendor has assured VA that only vendor staff and VA staff had accessed this information. The security flaw in the vendor database was immediately corrected and VA continues to closely monitor the application.”
Information that was potentially exposed via the internet includes names, addresses, dates of birth, phone numbers and VA patient identification numbers. Veterans who were possibly affected have been notified by the VA and are being offered complementary credit protection services.
The VA did not name the vendor that was involved. However, according to the third-party company, no data was actually exfiltrated through the security hole. Rather, the information was potentially seen after a database was inadvertently exposed online, according to the Federal Times.
This is just the latest in long line of cybersecurity issues for the VA. In November, the agency failed its annual cybersecurity audit for the 16th straight time. Full results were not released, but VA Chief Information Officer Stephen Warren presented the audit results at a House Veterans Affairs Committee hearing. According to Warren, the results were disappointing, especially since “significant time and effort” were put into 2014.
Even so, auditors told VA leaders that noticeable progress had been made from the year before. In 2013, the IG found 6,000 specific cybersecurity vulnerabilities and made 35 separate recommendations to close weaknesses. This year, the IG said the list of vulnerabilities had been cut by 21 percent.
The cybersecurity report followed a US Government Accountability Office (GAO) investigation that also said the VA was lacking in terms of cybersecurity. While the VA took action to fix problems that led to a 2012 breach, the GAO stated that weaknesses identified on VA workstations had not been corrected in a timely manner. This could increase the risk that sensitive data, such as veterans’ personal information, can be compromised.
“Specifically, by not keeping sufficient records of its incident response activities, VA lacks assurance that incidents have been effectively addressed and may be less able to effectively respond to future incidents,” the GAO report stated. “In addition, without fully addressing an underlying vulnerability that allowed a serious intrusion to occur, increased risk exists that such an incident could recur.”
These security issues demonstrate why healthcare organizations must not only maintain their own cybersecurity measures, but also ensure that all third-party companies have current protections in place. Creating business associate agreements (BAA) that account for cybersecurity issues are critical, and can help keep all parties accountable should a healthcare data breach occur. The contract will also clarify and limit how a business associate uses and discloses protected health information (PHI). Without a clear BAA, it can be more difficult to maintain patients’ privacy and mitigate a possible healthcare data breach.