The Department of Veterans Affairs still has not taken adequate steps to protect private data, despite security flaws during the past few years that have been exploited by hackers, according to a report by the Government Accountability Office released Monday.

“Until VA fully addresses identified security weaknesses, its systems and the information they contain — including veterans’ personal information — will be at an increased risk of unauthorized access, modification, disclosure, or loss,” the report concluded.

The VA oversees a massive system, with more than 300,000 employees. It administers health care and other benefits to about 22 million veterans and their families through the Veterans Health Administration, Veterans Benefits Administration and the National Cemetery Administration.

Several incidents in the past few years have highlighted weaknesses in the VA’s information system.

The system was hacked in 2010 by attackers who exploited weak technical controls within the agency. In January this year, a software defect in the VA’s eBenefits system, an application that is used by almost 3 million veterans to receive services, gave users unfettered access to information about other veterans. The private data of about 1,300 veterans or their dependents was potentially viewed by others, the report said.

The VA has taken some steps to patch such network vulnerabilities, and it is now required to submit monthly reports to Congress detailing private data breaches. For example, in October the report stated that the data of 765 veterans had been affected by incidents such as lost/stolen devices and incorrect mailings.

The GAO report found, however, that the agency had not yet taken adequate steps to fully protect its network.

In the wake of a 2012 cyberattack by “malicious outsiders,” the VA’s Network and Security Operations Center took steps to remediate network weaknesses that had been exploited.

“However, VA could not demonstrate the effectiveness of its efforts because staff could not locate the associated forensics analysis report or other key materials,” said Gregory Wilshusen, the GAO’s director of information security issues, during testimony Tuesday before the House Committee on Veterans’ Affairs.

“Without preserving such evidence, VA will be unable to demonstrate the effectiveness of its incident-response measures and may be hindered in assisting law enforcement agencies in investigating and prosecuting cyber crimes.”

In addition, the VA had yet to even address the underlying vulnerability that allowed the 2012 intrusion, Wilshusen said.

Part of the problem is that VA policy doesn’t allow NSOC full access to the agency’s computer networks.

The VA has also been slow to apply critical “patches” to vulnerabilities identified in software, the report said. As of May this year, the VA had not applied patches to the 10 most critical vulnerabilities identified by department security scans, even though some patches had been available for more than two years.

The report noted, however, that the VA is in the process of hardening its network to breaches. It has established an organization to oversee remediation of vulnerabilities and is working creation of a database to track the implementation of patches and other fixes.

olson.wyatt@stripes.com

Twitter: @WyattWOlson