A database that contains the personal data and protected health information (PHI) of about 200,000 U.S. military veterans was found to be accessible on the internet by security researcher Jeremiah Fowler.
The database was discovered on April 18, 2021 and analysis revealed references to a firm known as United Valor Solutions based in Jacksonville, NC. United Valor Solutions is a service provider of the Department of Veterans Affairs (VA) that offers disability assessment services for the VA and some other government institutions. The database – which comprised veterans’ names, contact information, dates of birth, medical data, appointment details, unencrypted passwords, and billing details – can be accessed without having a password. Anyone could have viewed the database, downloaded the information and changed or deleted them.
Fowler informed United Valor Solutions regarding the breached data. The company responded the following day affirming the exposure of the database and that the incident had been reported to its contractors and public access was deactivated. It is uncertain for how long the database was exposed; nevertheless, United Valor Solutions said it seemed that the database was just used by internal IP addresses and Fowler’s.
Fowler mentioned he identified indications of a ransomware attack. Within the dataset was a note labeled “Read_me” which stated that data had been downloaded and would be exposed when a 0.15 Bitcoin ransom was not settled.
Threatpost reported that the VA has been looking into the incident and that it seems related to penetration testing. Director Reginald Humphries of IT strategic communication at the Office of Information and Technology at the VA issued a statement that a researcher was trying to discover security inadequacies and vulnerabilities in United Valor Solutions systems. Currently, the company does not think this to be a data breach. Rather, this was performed for research requirements, as per the request of the company, United Valor Solutions. The VA investigation into the occurrence is in progress.
Additional People Impacted by Insider Atascadero State Hospital Breach
A breach earlier reported by the California Department of State Hospitals (DSH) has affected more people than formerly accounted. The breach, which was uncovered on February 25, 2021, was about the improper access of medical records by a past employee.
The breach was initially considered to have impacted the files of 1,415 patients and former patients, 617 employee names, the personal data and PHI of 1,735 employees, and records of approximately 1,217 job candidates who were not successful in landing work.
More investigations into the inappropriate access showed the personal data of another 80 persons were viewed, including phone numbers, addresses, email addresses, birth dates, social security numbers, and driver’s license numbers. The immigration data of 38 people, employment-linked health data of 81 persons who had applied for a job, had been employed or were past employees, and 20 individuals’ dates of birth and the last four digits of their Social Security numbers were additionally accessed.
The employee concerned was put on administrative leave while the breach investigation is ongoing. The California Highway Patrol is helping the DSH with the inquiry.