Editor’s note: This post was updated 7/26/2024 to inform readers of the upcoming July 29 mailings.
You may have heard in the news about the recent Change Healthcare (CHC) cybersecurity incident, which impacted many health care institutions across America. We at VA want to provide an update on what this incident could mean for you.
CHC is one of VA’s vendors, and as soon we became aware of the breach we took swift action to disconnect from all known systems with CHC; we have confirmed that there is no malicious activity or irregularities in our system.
However, CHC announced this week that “a substantial portion of the people in America” could have had some protected health information leaked as a result of this incident. While there is no confirmation that Veteran data was leaked as a result of this incident, we want to provide you with all of the information that you could need to protect yourself.
Here’s what you need to know:
- CHC is notifying impacted individuals via U.S. mail beginning July 29. The letters explain how you may have been impacted and steps you can take to protect your identity online.
- CHC is offering credit monitoring for all impacted individuals. CHC will provide two years of free credit monitoring and identity theft protections for those impacted. You can call 1-866-262-5342 or visit the dedicated UHG/CHC website at http://changecybersupport.com to learn more.
- VA has general fraud protection information available to you. There are always steps that you can take to protect yourself against fraud and identity theft, and VA has resources available to you. General information on how to protect yourself from fraud is available at Protecting Veterans From Fraud | Veterans Affairs (va.gov). This includes a fraud protection toolkit, frequently asked questions, information about how to be vigilant about scams, and much more.
- The federal trade commission also offers resources to help protect your identity. For additional information about other precautions available to you, visit the Federal Trade Commission website at http://www.consumer.ftc.gov/features/feature-0014-identity-theft.
- VA health care operations are not impacted. While we work through this issue, we want you to know that VA remains fully open for business—and there is no known adverse impact on VA patient care or outcomes to date. Please do not hesitate to come to us for all of your health care needs, as usual.
At this time, we cannot confirm that any Veteran data has been compromised, so we cannot answer specific questions as to whether your data is involved. But if it is determined that Veteran data was included in the data breach, we will ensure that you are notified and full support is provided.
Protecting your personal health information is—and always will be—one of our top priorities. We will continue to monitor this incident closely and provide updates whenever possible.
Link Disclaimer
This page includes links to other websites outside our control and jurisdiction. VA is not responsible for the privacy practices or the content of non-VA Web sites. We encourage you to review the privacy policy or terms and conditions of those sites to fully understand what information is collected and how it is used.
Topics in this story
Link Disclaimer
This page includes links to other websites outside our control and jurisdiction. VA is not responsible for the privacy practices or the content of non-VA Web sites. We encourage you to review the privacy policy or terms and conditions of those sites to fully understand what information is collected and how it is used.
Statement of Endorsement
Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government, and shall not be used for advertising or product endorsement purposes.
More Stories
Bob Jesse Award celebrates the achievements of a VA employee and a team or department that exemplifies innovative practices within VA.
The Medical Foster Home program offers Veterans an alternative to nursing homes.
Watch the Under Secretary for Health and a panel of experts discuss VA Health Connect tele-emergency care.
Thanks for now requiring a 15 character password that has to be changed every 30 days.
30 mins to change my password and another 26 minutes to get a copy of my benefit letter because no one thought to put a link after you signed in.
What’s with the looping after you sign in before you can get to the actual information pages? Your page designers suck..
typical bureautic response. When is the government going to act in behalf of its veterans?
Why are you hiring so many people with mental illness.
Yes, I could leave USB thumb drives in a parking lot with a root virus that your employees would immediately plug it in to a computer that has access to the Internet.
Yep, I was trained to be a troubleshooter.
[Editor: USB ports are disabled by VA’s OIT.]
Great. How do I know if my account was affected?
This concerns me very much. The possible breach of information is not only my ssn and dob but private health information that could be used against me. I want to be contacted by someone who can help delete my problem list from my medical record at the VA.
This is very weak response to a leak. There is the standard coverage of any proven financial loss that costs almost nothing. Where is the aggressive prevention or penalty for a loss of data that has been entrusted to an outside vendor? Is there a penalty clause in their contract? What are the consequences for allowing someone to take our data?
Eric G is correct: the UHG/CHC website is not secure. If you are inclined to trust them to monitor your credit for two years , your best bet is to call the phone number. Do not use the website.
How will I know if I’am a victim. Who will contact me, CHC or VA. I want to feel comfortable with the information I may receive.
Linda
When will my healthy vet be available again. A lot of veterans need help to access My Health Vet . On line !!! A lot of Older Veterans Have Trouble accessing or setting up my Healthy Vet. Some older Veterans don’t have a computer or can’t use one. They need help.
I tried to tell the VA I didn’t want my information added to online data. They told me that medical records are going digital and there was nothing I could do about it. They told me my information would be safe. I told them they were wrong and that when someone in the future is able to get ahold of my data that the VA would be responsible for HIPPA violations. They told me it would never happen and now we find out they were never in charge of the data to begin with. Another HIPPA violation. Veterans should be given the choice to have their records online or hard paper copy. The VA also told me that having my records digital would allow for continuity of care across the VA system, yet every time I move and go to a new VA I have to start all over from square one telling the doctor everything that has been wrong with me from the time I entered the military till present. The VA is good at one thing, protecting itself through obfuscation and denial. This was foreseeable and preventable but why would the VA ever listen to their patients?
Yep! I agree with you! I am now blind, and I’m tired of being referred to going online when I just barely started being able to somewhat do things online after seven years of being blind! But anyway… I hope there’s a class action lawsuit that we can all partake in because of this crap!
It is not HIPPA violation it is HIPAA (Health Insurance Portability Accountability Act)
Agree with pissed off vet
Going digital is safe???!!! Worst decision ever to go digital. How many times must we read the news and hear of another company getting hacked? Yet the VA didn’t seem to care enough or to be proactive enough to check their vendor that keeps all VA medical records to see how they are protecting the information of millions of vets. The VA is great at being reactive AFTER an issue such as this takes place even when they know they could be a target of this kind of thievery.
Status quo!
I have heard that Change’s problem stemmed from not using dual verification of requests. That’s a training problem, no? I use it whenever available.
I sign in, get asked if I want a code sent by phone (yes), then enter that code to complete sign-in.
Your records have been digital in the CPRS (Computerized Patient Record System) and VistA (Veterans Health Information System Technology Architecture) for years. It wouldn’t be possible to schedule an appointment, document care provided, or account for provider time without these. The CPRS system also has/had a button called Legacy Joint View that links VA providers to all of your military records and military providers to all your VA records. The military has already converted to Genesis. The VA is in the process of attempting that. The goal is for all records to be on one system eventually. All digital systems are under constant forms of attack from hackers and other nations without ethics. Interestingly in 1999 when everyone was so freaked out from Y2K fear-mongering, many military facilities and companies came up with “how to operate without computer plans for operation.” Being in the AF at the time I heard and read many times that the “how to operate without computer plans for operation” would need to be ongoing eternally – and that was absolutely correct. How do you make appointments with no computers? How do you get gas? Fill prescriptions? Run a register? Buy food? By the year 2001 it was like Y2K had never happened and we never needed to plan for such events ever. That is not correct. The need to have ongoing plans for how to operate without computers, with compromised computers, and without power, is needed more than ever before. Heads are in the sand.
These types of issues have been known to be happening FOR A LONG TIME. It truly sad that sites that host valuable information HAVE NOT TAKEN PRECAUTIONS!!!!! While not necessarily easy, is something that can be accomplished, Amongst other methods, the machined that host personal information should not be accessible through the public internet. Such information should only be available to internal sites. Yes, these are simple thoughts. That said, it is a basis for making systems secure…
You wouldn’t tell us even if you knew. More government hocus pocus. Whamo it’s fixed. Don’t worry, be happy. Right
So, when attempting to visit the cited website at:
the dedicated UHG/CHC website,
my browser stopped me from going there, informing me that the URL doesn’t support https. I’m very disappointed that ANY external links do not support https. I understand you’re not responsible for cited external links, I feel the least you could do is validate them before publication.
[Editor: I personally verified every link in the story prior to publishing. And again just now. They all work.]
Responding to the editor:
They may all “work”, but they are not “secure”. Just look at the URL for the dedicated UHG/CHC website. The fact that it begins with “HTTP” and NOT “HTTPS” should be a clue. Just for the record – HTTPS is the secure version of HTTP. Just a very simple thing that every U.S. Government agency should require from ANY entity that holds or provides access to sensitive information for any U.S. citizen. There are MANY more things that the government should require, but HTTPS should be a bare minimum starting point.
The only accurate information in this story that’s 100 per cent true:
“VA is not responsible”.
Soooo….our government can maintain Top Secret/SCI and higher confidential information better than they can veterans’ PII that served, fought for, and potentially got disabled for our country…..yet they don’t think logically with common sense and conduct due diligence to confirm they have legitimately secured the vulnerable PII of our veterans to ensure they don’t become victims of identity theft / fraud….which I’m one of them and have had my identity stolen at least twice now…..remember the OPM hack by China…..and now this….. ?♂️
I told the 23rd. Street VA that my information was hacked and that my SS number was compromised. and who sent me to this outside MRI clinic THE VA. The 23rd street VA can care LESS.