“Based on our investigation, affected individuals are those served by this website-based system: current, retired, and former Commissioned Corps officers and their dependents,” the email said.
The commissioned corps is a cadre of about 6,600 medical professionals — including physicians, nurses, dentists, rehabilitation therapists, pharmacists, researchers and more — reporting to the Surgeon General. They are involved in health-care delivery to underserved and vulnerable populations, disease control and prevention, food and drug regulation, and disaster response.
Counting retirees, former employees and family members would bring the total of affected people much higher, although neither the email nor a spokesman for the Department of Health and Human Services, the parent agency of the PHS, specified a figure.
The spokesman said the agency learned Sept. 20 that unauthenticated users could access a system used for payroll, leave, time, attendance and other personnel functions. The portal site has been disabled and will remain down while the investigation continues, although the Sept. 30 payroll run was unaffected, the email said.
“Teams across the Department and across government are working to learn as much as we can as quickly as we can, and to further improve our systems to prevent this type of issue in the future. . . . Next steps could include offering identity protection services to affected individuals,” said the email, co-signed by HHS Acting Assistant Secretary for Health Karen B. DeSalvo.
The email promises further information as it becomes available and offers instructions on how to request a free credit report and how to report unusual activity or potential errors on a credit report.
The hack is the latest in a long line of breaches of federal employee records that have targeted individual agencies, including the Energy Department and the U.S. Postal Service, as well as the Thrift Savings Plan, the 401(k)-style retirement savings program for federal employees.
The largest breaches, involving about 22 million people combined, hit two separate databases of the Office of Personnel Management. Those involved personnel records of current and former federal employees plus persons on whom the government had conducted background investigations, for security clearance or other reasons, since about 2000.
That resulted in a widespread offer of free credit monitoring and identity theft protection services for employees, and the creation of a new office to oversee background checks, along with boosted cyberdefenses.