VA struggles with security continue; number of vets impacted rises

Veterans who saw their personal health information compromised rose once again in April after a sharp fall in March; 987 vets were affected last month, according to a report from the U.S. Department of Veterans Affairs.

Of the 987 vets affected in April, 738 were in relation to protected health information incidents. 

The number of cyberattacks against the VA did drop last month compared to March, and zero veterans were impacted by cyberintrusion or malware events. But incidents such as lost devices, lost PIV cards and paper record mismailings still put vets' infomation at risk. This is especially worrisome on the heels of news that the VA failed its Federal Information Security Management Act Audit for Fiscal Year 2014, the 16th consecutive year it has failed the audit.

As the number of attacks on the agency grows, VA CIO Stephen Warren said on a press call that IT networks must prepare for the future, and for the possibility of a worst-case scenario, according to Federal News Radio.

Currently, the agency is at an elevated state of cybersecurity, Warren said; he added, however, that his team must be ready to go to severe or critical if the need arises. The team is meeting to discuss what can be done as threats to the system grow, and the VA will also host an internal cybersecurity summit in early June.

Other ways the VA is tackling the growing threats includes spending time and money on cyberservices from the Department of Homeland Security, one of the reasons threats decreased in April, Warren said.

More funding for fiscal year 2016 also was requested by the agency in February. It asked for about $24 million more than previously requested.

But the VA has a lot of work ahead to come back from all the problems it has faced, which not only include the failed audit but criticisms from the Government Accountability Office after the VA's Office of Inspector General reported that two VA contractors had improperly accessed the VA network from foreign countries using personally owned equipment.

That's in addition to a report the GAO released in November saying that while the VA had taken action to address previously identified IT vulnerabilities, it did not do enough to prevent future problems.

Editor's Note: FierceHealthIT previously reported that the events where 987 vets had their information exposed were due to data breaches. However, the events were tied mostly to mishandling or mis-mailed incidents. We regret the error.

To learn more:
- here's the April report (.pdf)
- read the Federal News Radio article