With recent data breaches nationwide, government and industry are looking at “how did they happen and what contributed to the breaches?” The answers are important. Learning from them will help us be better prepared in the future.
One common theme emerging with recent breaches is lack of multi-factor authentication (MFA) on accounts. MFA is a critical cybersecurity tactic requiring users to provide additional information beyond username and password to confirm their identity when signing into their online accounts. For example, requiring a user to also enter a unique code sent to their smartphone when signing in to add another layer of user authentication and protection against malicious actors gaining access to their account and information.
Missing MFA can have widespread consequences
The Change Healthcare security breach earlier this year is one example of bad consequences that occur when MFA is missing.
In May 2024 before Congress, UnitedHealth Group’s Chief Executive Officer stated, “Unfortunately, in this situation, there was a server which did not have MFA, and it was used by the hackers to penetrate into Change Healthcare.”
The Change Healthcare incident reportedly affected 77% of health care in the U.S., leaving some patients having to pay large amounts of money out of pocket for their medications because the pharmacy couldn’t process their claims or their co-pay coupons.
For Veterans, as soon as VA became aware of the breach of Change Healthcare—one of our vendors—we promptly disconnected from all known systems associated with them. We restored impacted capabilities to ensure Veteran access to care. Community providers serving Veterans continued to receive payments.
Take-aways for all
All government agencies, Department staff, industry, Veterans and other users can learn from this lesson. Be sure you have MFA on all your accounts. For an overview, check out this short Multi-Authentication video.
A total 97 percent of VA staff are already using multi-factor authentication (MFA) to verify their identity before they can log in to VA systems, and we restrict access to Veteran data to only VA staff with a need-to-know basis for delivering services to the Veteran. We are closing the gap to make this 100 percent.
For individual consumers, patients, Veterans, caregivers and family members, we hope you’re applying this lesson, too.
If you need more help, call your institution (such as your bank, email provider customer service line) or ask a trusted and tech-savvy family member or friend how to do so.
Topics in this story
More Stories
Hear from VA Deputy Chief Information Security Officers as they give insights on what the Veteran community should know about online safety—including tips to keep your family and loved ones safe online.
Social Media shops are available on every major platform. Knowing the privacy risks of online shopping can help you stay safe this holiday season.
As you get ready for the holidays, keep online safety in mind to avoid any unwanted surprises.
BE VERY CAREFUL OF THIS mfa system. It really doesn’t protect the end users but what it does is protect websites and businesses. They are too cheap and lazy to really do security the right way so dump the problem onto the end user’s. Also most companies only allow codes sent to cellular phones but some will do email. But very few allow you to choose both. SO GUESS WHAT HAPPENS WHEN YOUR PHONE IS LOST OR DAMAGED….THATS RIGHT YOU ARE NOW LOCKED OUT OF THAT ACCOUNT AND ANY OTHERS THAT ONLY USE THE PHONE METHOD!!! HAPPENED TO ME AND I WAS LOCKED OUT OF BANKING FOR A FEW WEEKS AND LOCKED OUT OF AMAZON FOR 4 MONTHS.
Great information…just add to all Brothers & Sisters put a Block on all of your Credit Bureaus, really easy to do & it’s free with all Bureaus ( if you do Block your credit bureaus) if you apply for credit, you can unblock for the creditor you want to access your credit & then lock it back down…#VETERANSTRONGE
Hopefully, a better authentication system can be developed beyond a second tier requiring emailed codes that take too long to arrive and difficulty navigating back to the sign-in site or those that send you into a non-stopping circle of confusion and frustration. You would think that with the advent of AI, a more sophisticated simplistic one-step cyber-safe technique could be developed. Something like what the hackers can do to compromise a site. Before long a third tier will have to be developed using what is there now. Otherwise, something that is the result of thinking out of the box.
Excellent advice. Thank you.