With recent data breaches nationwide, government and industry are looking at “how did they happen and what contributed to the breaches?” The answers are important. Learning from them will help us be better prepared in the future.
One common theme emerging with recent breaches is lack of multi-factor authentication (MFA) on accounts. MFA is a critical cybersecurity tactic requiring users to provide additional information beyond username and password to confirm their identity when signing into their online accounts. For example, requiring a user to also enter a unique code sent to their smartphone when signing in to add another layer of user authentication and protection against malicious actors gaining access to their account and information.
Missing MFA can have widespread consequences
The Change Healthcare security breach earlier this year is one example of bad consequences that occur when MFA is missing.
In May 2024 before Congress, UnitedHealth Group’s Chief Executive Officer stated, “Unfortunately, in this situation, there was a server which did not have MFA, and it was used by the hackers to penetrate into Change Healthcare.”
The Change Healthcare incident reportedly affected 77% of health care in the U.S., leaving some patients having to pay large amounts of money out of pocket for their medications because the pharmacy couldn’t process their claims or their co-pay coupons.
For Veterans, as soon as VA became aware of the breach of Change Healthcare—one of our vendors—we promptly disconnected from all known systems associated with them. We restored impacted capabilities to ensure Veteran access to care. Community providers serving Veterans continued to receive payments.
Take-aways for all
All government agencies, Department staff, industry, Veterans and other users can learn from this lesson. Be sure you have MFA on all your accounts. For an overview, check out this short Multi-Authentication video.
A total 97 percent of VA staff are already using multi-factor authentication (MFA) to verify their identity before they can log in to VA systems, and we restrict access to Veteran data to only VA staff with a need-to-know basis for delivering services to the Veteran. We are closing the gap to make this 100 percent.
For individual consumers, patients, Veterans, caregivers and family members, we hope you’re applying this lesson, too.
If you need more help, call your institution (such as your bank, email provider customer service line) or ask a trusted and tech-savvy family member or friend how to do so.
Topics in this story
More Stories
Here are some of the top things to avoid while traveling, to enhance your online safety.
Arm yourself with the knowledge you need to be safe online when it comes to financial services, debt scams and junk fees targeting Veterans.
VA reduces complexity for Veterans, beneficiaries, and caregivers signing in to VA.gov, VA’s official mobile app, and other VA online services while continuing to secure Veteran data.
Great information…just add to all Brothers & Sisters put a Block on all of your Credit Bureaus, really easy to do & it’s free with all Bureaus ( if you do Block your credit bureaus) if you apply for credit, you can unblock for the creditor you want to access your credit & then lock it back down…#VETERANSTRONGE
Hopefully, a better authentication system can be developed beyond a second tier requiring emailed codes that take too long to arrive and difficulty navigating back to the sign-in site or those that send you into a non-stopping circle of confusion and frustration. You would think that with the advent of AI, a more sophisticated simplistic one-step cyber-safe technique could be developed. Something like what the hackers can do to compromise a site. Before long a third tier will have to be developed using what is there now. Otherwise, something that is the result of thinking out of the box.
Excellent advice. Thank you.