With recent data breaches nationwide, government and industry are looking at “how did they happen and what contributed to the breaches?” The answers are important, so we can be better prepared in the future. One common theme emerging with recent breaches is lack of multi-factor authentication (MFA) on accounts. MFA is a critical cybersecurity tactic requiring users to provide additional information beyond username and password to confirm their identity when signing into their online accounts. For example, requiring a user to also enter a unique code sent to their smartphone when signing in to add another layer of user authentication and protection against malicious actors gaining access to their account and information.

Missing MFA can have widespread consequences

The Change Healthcare security breach earlier this year is one example of bad consequences that occur when MFA is missing.

In May 2024 before Congress, UnitedHealth Group’s Chief Executive Officer stated “Unfortunately, in this situation, there was a server which did not have MFA and it was used by the hackers to penetrate into Change Healthcare.”

The Change Healthcare incident reportedly affected 77% of health care in the U.S., leaving some patients having to pay large amounts of money out of pocket for their medications because the pharmacy couldn’t process their claims or their co-pay coupons.

For Veterans, as soon as VA became aware of the breach of Change Healthcare, one of our vendors, we promptly disconnected from all known systems associated with them. We restored impacted capabilities to ensure Veteran access to care. Community providers serving Veterans continued to receive payments.

Take-aways for all

All government agencies, Department staff, industry, Veterans, and other users can learn from this lesson. Be sure you have MFA on all your accounts. For an overview, check out this short Multi-Authentication video.

A total 97 percent of VA staff are already using multi-factor authentication (MFA) to verify their identity before they can log in to VA systems and we restrict access to Veteran data to only VA staff with a need-to-know basis for delivering services to the Veteran. We are closing the gap to make this 100 percent.

For individual consumers, patients, Veterans, caregivers, and family members, we hope you’re applying this lesson too.

If you need more help, call your institution (such as your bank, email provider customer service line) or ask a trusted and tech-savvy family member or friend how to do so.

Topics in this story

cybersecurity multi-factor authentication privacy

You might also like

  • Is It Time for a Career Refresh?

     3 months ago

    Is It Time for a Career Refresh?

    Learn the fundamentals of how to begin a career in cybersecurity and privacy.

  • Don’t Be Haunted by the Hacks

     3 months ago

    Don’t Be Haunted by the Hacks

    October is known for spooky Halloween costumes, but in everyday life there are spooky online scammers ready to play tricks on you. Read on to learn how to protect yourself from online phantoms.

  • How the Grinch Can Steal Your Data

     3 months ago

    How the Grinch Can Steal Your Data

    As you get ready for the holidays, keep online safety in mind to avoid any unwanted surprises.

Link Disclaimer

This page includes links to other websites outside our control and jurisdiction. VA is not responsible for the privacy practices or the content of non-VA Web sites. We encourage you to review the privacy policy or terms and conditions of those sites to fully understand what information is collected and how it is used.

Statement of Endorsement

Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government, and shall not be used for advertising or product endorsement purposes.