DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Our veterans deserve better infosecurity of their information

Posted on October 30, 2015 by Dissent

When News3 in Madison, Wisconsin started digging into a breach involving 637 veterans’ Social Security numbers, what they found should have everyone asking the VA some hard questions. Adam Schrager reports:

The Social Security numbers of Wisconsin veterans are being sent via email without encryption despite numerous federal laws and U.S. Department of Veterans Affairs regulations requiring personally identifiable information be password-protected.

It partly explains how a random Wisconsin veteran received an unsolicited email on April 1 with the Social Security numbers and disability claim information of hundreds of Wisconsin veterans. Since the Vietnam War, veterans’ file numbers or disability claim numbers have been their Social Security numbers.

A Wisconsin Department of Veterans Affairs spokesperson said the software program, Ironport, which is used by the federal VA, intentionally does not flag nine-digit numbers without dashes because of the concern that there would be too “many false positives.” She said nine-digit number sequences where dashes are used would require the person sending the email to encrypt it before it could be sent or to remove the nine-digit number sequence with the dashes.

But wait, it gets worse.

The veteran dutifully notified everyone about the breach, but things started to get ugly when the Wisconsin Dept. of Veterans Affairs started demanding that he and his advocate destroy all the records.

The veteran responded in an email obtained by News 3 that multiple groups were investigating the matter and he wanted to know if he was being asked to “destroy evidence.”

His answer came less than a month later when he and his advocate were sued in Dane County Circuit Court, in an effort to compel them to destroy all evidence of the email and the attachment.

And if that doesn’t frost your cookies, consider this: when the 637 veterans whose names and file numbers were in the attachment were notified of the breach and offered credit monitoring, they were told that the incident was a “one-time disclosure to one unauthorized individual, who is a Veteran.”

However, less than a week after that, the department’s own investigator determined that the data report inappropriately sent on April 1 had also been sent to “unaccredited recipients.”

Not only that, but apparently the USDVA Network Security Operations Center was “already aware of the problem of certain emails making it past the filter.”

Digging into it all further, News 3 found (unsurprisingly) that the April 1 incident was not an isolated incident at all.

On at least three other occasions (June 1, 2014, Oct. 1, 2014 and Dec. 1, 2014), the same data report was also sent unredacted to “unaccredited recipients,” or as defined by the VA, people who are not trained to view such personally identifiable information. In fact, the administrator doing the internal investigation is himself “unaccredited,” according to USDVA documents, and thus, not supposed to look at personally identifiable information of Wisconsin veterans such as the material erroneously sent.

You’d think that by now, the VA would have gotten its act together on this stuff.  How is that these veterans’ information has been sent out without proper protections on at least four occasions to unaccredited recipients? If I was one of these veterans, I think I’d be looking for a lawyer to sue the VA already.

You can read Schrager’s full news story on Channel3000.com.

Related posts:

  • Veterans Administration responds to Freedom of Information request; releases breach reports
  • More than 2,000 veterans had their PHI breached in April
  • Update: eBenefits breach caused by software update
  • Update: eBenefits breach caused by software update
Category: Commentaries and AnalysesExposureGovernment SectorHealth DataOf NoteU.S.

Post navigation

← First data breach case granted standing in Pennsylvania
Aussie Farmers Direct hacked, user details posted online →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.