On December 3, 2024, the Veterans Health Administration (VHA) reported a cybersecurity attack on a vendor’s server, potentially exposing the protected health information (PHI) of 2,302 veterans across six healthcare systems.
What happened
Malicious actors launched a ransomware attack on a server that DBP, Inc., a medical transcription vendor, manages under its contract with the VHA. The attack encrypted the server, allowing these malicious actors to copy sensitive files. Exposed data included veterans' full names, Social Security numbers, and medical record details.
VHA officials have since disconnected the compromised server from the internet and launched an investigation. DBP, Inc. will also replace the affected hardware and strengthen its cybersecurity controls to prevent future breaches.
By the numbers
- 2,302 veterans were potentially affected.
- 1,069 from the VA Amarillo healthcare system.
- 616 from the VA Minneapolis healthcare system.
- 386 from the VA Boston healthcare system.
- 144 from the VA Togus healthcare system.
- 37 from the VA Connecticut healthcare system.
- 25 from Baltimore VA Medical Center.
In the know
The Veterans Health Administration relies on vendors like DBP, Inc. to handle administrative tasks like medical transcription. While these partnerships increase efficiency, they also create vulnerabilities if the vendors’ systems are inadequately protected.
Why it matters
Third-party cybersecurity weaknesses can have widespread impacts, even when an agency’s internal systems are secure, as evidenced by this data breach. As ransomware attacks continue to escalate, agencies like the VHA must improve their cybersecurity requirements for their contractors and vendor oversight to safeguard and maintain trust in healthcare systems.
What’s next
Veterans impacted by the breach will receive Privacy Notification Letters detailing the scope of the breach and potential risks. Local VA Privacy Officers are available to answer questions at 1-844-838-5433 during business hours.
FAQs
What is protected health information (PHI)?
Protected health information (PHI) refers to any information in a medical context that can identify an individual and is related to their health status, medical care, or payment for healthcare services.
Examples include their names, addresses, birth dates, Social Security numbers, medical records, lab results, and insurance information.
What is a ransomware attack?
Ransomware attacks are a type of cyberattack where hackers gain unauthorized access to a computer, encrypt its data, and demand the return of this data upon payment.
Hackers often target sensitive information like personal, financial, or healthcare data, crippling their operations until the ransom is paid or recovered by other means.
Ransomware spreads through phishing emails, malicious links, or software vulnerabilities, exploiting weak cybersecurity defenses. Even after paying the ransom, victims are not guaranteed data recovery.
Can HIPAA compliant email improve cybersecurity?
Yes, HIPAA compliant email solutions, like Paubox, offer audit trails, access controls, and malware scanning to track PHI access and limit threat exposure against phishing and malware attacks.
Learn more: HIPAA Compliant Email: The Definitive Guide
