A software glitch with a Department of Veterans Affairs benefits portal allowed users to access one another’s private information, alarming some veterans groups and lawmakers, who see the incident as the latest manifestation of an ongoing security problem.
The issue arose last week on a joint VA-Defense Department site that allows veterans and their dependents to access medical and educational benefits, disability claims, bank information and military personnel records, among other sensitive data.
More than 5,300 users may have been affected by the glitch, according to initial VA estimates.
VA shut down the eBenefits system on Jan. 15 and brought it back online Sunday. The agency said in a statement Tuesday that it “conducted a full review of the software issue and reinforced its security posture, after determining that the defect had been remedied and the portal was functioning properly.”
“We offer our sincere apologies to any service member, veteran or family member impacted by the software defect and the downtime,” VA said.
An internal VA memo says about 20 veterans contacted the agency on Jan. 15 to report that they could see the accounts of other users when they logged on.
The defect has raised concerns among lawmakers and veterans organizations. Some of the groups say their members are growing weary of such mistakes.
“We’ve seen VA expose sensitive information about veterans before,” the American Legion’s national commander, Daniel M. Dellinger, said in a statement Wednesday. “Now it has happened with the relatively new eBenefits website. How can VA expect our veterans to file for benefits online when they may be risking identity theft by doing so?”
In a statement Wednesday, Rep. Jeff Miller (R-Fla.), chairman of the House Veterans Affairs Committtee, criticized VA for a “string of alarming IT security setbacks” and called on the department to offer credit-monitoring services to every veteran and dependent in its database. He also said that VA Secretary Eric K. Shinseki must hold the agency’s leadership accountable for the “ongoing failures and unreasonable risks in IT security.”
VA said it is reviewing the mishap and will determine an exact number of users affected by the glitch. The agency also said it will provide free credit monitoring for any affected individuals.
The eBenefits system has about 3.4 million users, according to VA.
The House committee has been investigating VA’s IT security practices since last year. The panel learned during a June hearing that the agency’s computer network had been compromised by multiple individuals since March 2010, prompting a series of inquiries from lawmakers.
Miller and the committee’s ranking Democrat, Rep. Michael H. Michaud (Maine), wrote Shinseki in June requesting information about earlier problems.
“It is known for certain that some of the areas in the system that were compromised included unencrypted personally identifiable information regarding veterans and their dependents,” the letter said.
Since June, lawmakers have sent dozens of questions to Shinseki about VA’s information security practices, and some have grown frustrated with the agency’s response times. Miller has issued weekly letters to the secretary listing the outstanding information requests.
VA said in a statement Wednesday that it “respects Congress’ important oversight role and is committed to providing timely and accurate information.” The agency added that it has dealt with more than 85,000 congressional requests during the past four years.
The problems with the eBenefits site were first revealed on the online news site FedScoop.
On Monday, the site quoted a veteran as saying he accidentally changed the information of another user before noticing the glitch, suggesting veterans were able to alter accounts other than their own.