The Veterans Affairs Department on Monday said a recent data breach compromised personal information of roughly 46,000 veterans.
The VA discovered the data breach after the agency's Financial Services Center determined unauthorized users accessed an online application as part of an effort to redirect payments meant for community providers who had treated veterans.
The VA for years has struggled with providing timely payment to community providers. That was one of the challenges non-VA providers hoped the Veterans Community Care Program, a program launched last year to make it easier for veterans to receive services from private-sector doctors, would remedy.
Since the data breach, the Financial Services Center, a group in the VA's finance office, has taken the application offline.
System access won't be reenabled until the VA's information technology office completes a security review, according to the agency.
The hackers gained access to the application "using social engineering techniques and exploiting authentication protocols," according to a preliminary review from the VA's privacy office. Social engineering techniques, such as phishing, describe scams in which a hacker tricks someone into performing an activity or sharing confidential information.
The agency is offering free credit monitoring services to veterans whose Social Security numbers may have been compromised.
The VA did not disclose when the hack took place, whether the unauthorized users were able to complete transactions through the online application, and what veteran information was compromised.
The VA did not immediately respond to a request for comment.
An estimated 112,000 patients had personal information exposed in a similar cyberattack that Utah Pathology Services reported late last month in which a hacker attempted to redirect funds from the practice using a compromised email account. Utah Pathology said the hacker was not able to complete a transaction.
Millions of patients have had personal information exposed in data breaches so far this year. In August alone, healthcare providers, insurers and their business associations reported more than 30 data breaches to HHS' Office for Civil Rights, which compromised data on a collective 2.1 million patients.