Data Breaches Expose Vets, COVID-19 Patients

data breach va nhs

Social engineering and employee mistakes lead to breach Veteran’s Administration and the National Health Service.

A pair of healthcare-related data breaches at high-profile government agencies has impacted tens of thousands of people.

First, a cyberattack at the U.S. Department of Veterans Affairs (VA) has impacted about 46,000 veterans, exposing their financial information. And another incident, at the U.K.’s National Health Service, exposed personal information for 18,105 Welsh citizens.

Vets Caught Up in Financial Breach

In the first instance, an internal tool used by the VA’s Financial Services Center (FSC) was hacked and used to intercept and steal funds that had been earmarked as payments to community healthcare providers, it said. The VA’s coverage of these payments is handled by the software tool, which contains veterans’ financial data, Social Security numbers and more.

Threatpost Webinar Promo Bug Bounty

Click to register.

“The exposure could have been much greater. It’s likely that security technology was in place which detected a high volume of record changes in this event as the threat actor was editing the individual financial records to divert the payments,” Ilia Sotnikov, vice president of product management at Netwrix, said via email. “Any time there is heavy, unusual activity the likelihood of a breach is high.”

The FSC took the application offline once the unauthorized access was discovered – no timeline for when the breach occurred has been given.

“A preliminary review indicates these unauthorized users gained access…by using social-engineering techniques and exploiting authentication protocols,” according to a press release from the agency. “To prevent any future improper access to and modification of information, system access will not be reenabled until a comprehensive security review is completed by the VA Office of Information Technology.”

The FSC is notifying affected vets as well as the next-of-kin of those who are deceased.

“It’s too early to say whether new configurations related to the change to work from home played a role in VA hack or not, but it might be a good reminder for other companies to review decisions made in March and April as they were quickly adopting to the new ways of staying productive,” Sotnikov said. “Because this is just one of multiple breaches effecting veteran data, the VA needs to ensure they are taking every security step necessary to not only protect financial data, but also the sensitive personal and healthcare data for the veterans it serves.”

COVID-19 Patients Exposed

Meanwhile, the Wales arm of the NHS announced that personally identifiable information (PII) of Welsh residents who have tested positive for COVID-19 was exposed, through “individual human error.”

The incident took place on August 30, when positive coronavirus patients’ data was accidentally uploaded to a public server, instead of the correct server, where it was searchable by anyone using the site. The situation was rectified less than 24 hours later – and in the 20 hours it was online it had been viewed 56 times, the NHS Wales said in an online announcement.

“In the majority of cases (16,179 people) the information consisted of their initials, date of birth, geographical area and sex, meaning that the risk they could be identified is low,” according to the statement. “However, for 1,926 people living in nursing homes or other enclosed settings such as supported housing, or residents who share the same postcode as these settings, the information also included the name of the setting. The risk of identification for these individuals therefore is higher but is still considered low.”

There is no evidence at this stage that the data has been misused, but the NHS Wales has opened an investigation. It also is researching actions for preventing this kind of mistake in the future, it said.

“While the recent data breach of personally identifiable data of Welsh residents, as revealed by Public Health Wales, is not an unusual exploit or malicious stratagem, the disclosure statement is remarkable,” said Mike Kiser, senior security strategist and evangelist at SailPoint. “It is clear, timely, and accepts responsibility for the failure: A rare trifecta for breach notifications. The FAQ is particularly helpful, as many individuals may not have the inclination to sort through a formal statement.”

He added, “The note even includes a direct link to the public-facing system through which the data was mistakenly divulged. Demonstrating transparency and accountability through clear, honest communication is essential for the public to trust organizations with their personal data. Disclosures such as this one that demonstrate a commitment to an ethical approach deserve commendation.”

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.

Suggested articles