House Republicans push VA for details on recent data breach

Republican members of the House Oversight and Reform Committee on Tuesday pushed the Department of Veterans Affairs (VA) for answers about a recent data breach that exposed personal details of at least 46,000 veterans. 

Rep. Jody Hice (R-Ga.), the ranking member of the committee’s subcommittee on government operations, led more than a dozen of the committee’s Republican members, including House Oversight and Reform Committee ranking member James Comer (R-Ky.), in sending a letter to VA Secretary Robert Wilkie on Tuesday expressing concerns around the security incident. 

“Data breaches of any kind are concerning, but particularly so when the targeted data is held in trust by the U.S. Government and where it affects veterans,” the members wrote. 

The letter was sent over a month after the VA disclosed that its Financial Services Center had discovered that an unauthorized user had accessed an application used to help veterans pay for medical care and diverted funds meant for community health providers, with Social Security numbers among the data compromised.  

The VA noted in September that the compromised system had been disabled while the VA’s Office of Information Technology conducted a review of the incident. The VA said notifications were sent out to veterans and next-of-kin of deceased veterans whose data had potentially been compromised, and that the agency would provide free credit monitoring. 

“Although we commend the VA for its apparent quick response in taking the application offline and investigating the breach, as well as its efforts to notify affected individuals, we are concerned about veterans’ personal information being vulnerable and the potential consequences data breaches such as this have on affected veterans,” the Republican House Oversight and Reform Committee members wrote Tuesday. 

The Republican members requested a staff-level briefing from the VA on the agency’s response to the data breach incident, including the potential negative consequences for veterans whose data was exposed, and steps the VA is taking to ensure the safety of veteran personal data in the future. 

A spokesperson for the VA told The Hill that 13 community care providers were impacted by the data breach, and only six had payments diverted, noting that the VA is “working with those vendors to compensate the lost funds,” along with providing credit monitoring to veterans impacted by the breach. 

“The Department has made steady progress in improving cybersecurity by taking numerous actions to bolster VA’s security posture, including revising policies, adding additional monitoring capabilities, and improving workforce incorporation of cybersecurity and privacy habits,” the spokesperson said in an emailed statement to The Hill. 

The September data breach was not the first cybersecurity incident the agency has faced. In 2006, the VA was hit by a massive breach when a computer disk was stolen that contained the names, Social Security numbers and birth dates of around 26.5 million veterans, including several lawmakers. 

The VA’s Office of Inspector General published a report last year that found the VA’s Milwaukee regional office had “mishandled” veterans’ personal data, leaving it exposed to around 25,000 remote network users for months.

The Republican House Oversight and Reform Committee members are not the first on Capitol Hill to raise concerns around the data breach. 

The Democratic members of the Senate Veterans Affairs Committee, led by ranking member Jon Tester (D-Mont.) sent a separate letter to Wilkie in September criticizing the VA for the breach and asking for further details. 

“This incident raises numerous concerns not just for this incident, but more broadly with how VA is approaching protecting the PII [personally identifiable information] and other important data within its vast data systems and networks,” the committee’s Democratic members wrote. 

“The information provided to Congress on this incident raises countless questions and does not instill confidence that VA is adequately addressing the current incident or working to better safeguard private information in the future,” they added.

-Updated at 2:05 p.m.