Online security expert Jeremiah Fowler has discovered an online database holding the protected health information (PHI) of approximately 200,000 U.S. military veterans was accessible until the issue was mitigated on April 18 of this year.
The database was being used to store veterans’ identities, birth dates, contact details, medical data, appointment dates, unencrypted password details, and billing information. Access could be gained without a password and the information could be viewed, downloaded, deleted or amended by any individual.
When the breach was first identified in April the database was linked to United Valor Solutions, a Jacksonville, NC-based contractor supplying disability evaluation services to the Department of Veterans Affairs (VA) and other government agencies.
The group was contacted by Fowler and the database was rapidly secured. While it remains unclear for how long the database was accessible, United Valor Solutions said the issue was resolved by its contractors as soon as they were made aware of the issue. The company issued a statement claiming that the only access appears to have been from internal IP addresses and Fowler’s.
A VA spokesperson confirmed that the Veterans Benefits Administration Privacy Office and the Medical Disability Examination Officer are assisting United Valor Solutions’ contractors with the investigation of the data breach and that the VA Data Breach Response Service is investigating the incident independently.
Fowler, commenting on his discovery, said he found evidence of a ransomware attack within the dataset. A message titled “Read_me” was found that claimed records had been downloaded and would be exposed if a 0.15 Bitcoin ransom was not paid. He said: “The database was set to open and visible in any browser (publicly accessible) and anyone could edit, download or even delete data without administrative credentials”.
According to Threatpost, which first reported the story, the VA has been investigating the incident and it appears to have been related to penetration testing. Reginald Humphries, director of IT strategic communication at the Office of Information and Technology at the VA told Threatpost, “it appears that a researcher was attempting to find security deficiencies and flaws in United Valor Solutions systems. At this time, we do not believe there was a data breach but rather this was done for research purposes, at the request of the contractor, United Valor Solutions.”