(CNN) — The Department of Veterans Affairs said Monday that roughly 46,000 veterans had their personal information, including Social Security numbers, exposed in a data breach in which “unauthorized users” gained access to an online application used for making health care payments.
A preliminary review of the incident indicated that the hackers accessed the application “to change financial information and divert payments from VA by using social engineering techniques and exploiting authentication protocols,” according to the department’s announcement.
“The Financial Services Center (FSC) determined one of its online applications was accessed by unauthorized users to divert payments to community health care providers for the medical treatment of Veterans. The FSC took the application offline and reported the breach to VA’s Privacy Office,” the statement said.
“To prevent any future improper access to and modification of information, system access will not be re-enabled until a comprehensive security review is completed by the VA Office of Information Technology,” it added.
The VA did not immediately respond to CNN’s request for additional information about the breach, including questions related to who is believed to be responsible and whether any money was diverted from veterans who were affected.
Later Monday, department spokeswoman Christina Noel told CNN: “VA’s independent inspector general is investigating that issue, and in order to protect the integrity of the investigation, VA can’t comment further.”
The department is taking steps to alert veterans whose information was compromised.
“To protect these Veterans, the FSC is alerting the affected individuals, including the next-of-kin of those who are deceased, of the potential risk to their personal information. The department is also offering access to credit monitoring services, at no cost, to those whose social security numbers may have been compromised,” Monday’s statement said.
“Veterans whose information was involved are advised to follow the instructions in the letter to protect their data. There is no action needed from Veterans if they did not receive an alert by mail, as their personal information was not involved in the incident,” it adds.