DC Health Link Points to Human Error as Cause of Data Leak

April 21, 2023 - At a recent House Oversight Committee hearing, Mila Kofman, executive director of the DC Health Benefit Exchange Authority (DCHBX) delivered a testimony providing new information about the data breach at DC Health Link.

As previously reported, DC Health Link discovered a breach in early March that potentially exposed the personal information of more than 56,000 current and past customers, including members of Congress and their families. A threat actor stole two reports that included personal information, including names, birthdates, and Social Security numbers.

“Let me be clear at the outset: the cause of this breach was human mistake. With respect to the ‘root cause’ – the problem here related to the configurations on a server used for generating and storing automated jobs and weekly reports,” Kofman stated.

“The server was misconfigured to allow access to the reports on the server without proper authentication. Based on our investigation to-date, we believe the misconfiguration was not intentional but human mistake. Also, at no point, was the DC Health Link enrollment system breached or exposed.”

Kofman explained that upon discovery of the breach, DCHBX immediately engaged the FBI Cyber Security Task Force and brought incident response firm Mandiant on board to investigate the incident. Mandiant completed its incident response report in mid-April, determining that the breach was the result of a misconfigured server.

“In addition to saying how sorry I am that we failed to prevent the theft of two reports which had sensitive personal information of our customers, I want you to know that we have not and will not fail in our response and we are working hard to make sure this never happens again,” Kofman continued.

Kofman said that DCHBX has since implemented additional safeguards to improve the security of its environment and has successfully fended off attacks in the past. In fact, the organization leverages the same technologies used by US military and intelligence agencies.

Catherine Szpindor, chief administrative officer at the US House of Representatives, testified that the House is taking steps to improve its cybersecurity posture and is working with vendors to ensure that they meet House of Representatives security standards.

Still, House Oversight Committee members were left with remaining questions about the breach.

“Because we don’t know who’s responsible for it yet, no one’s been held accountable. No one’s been fired or lost a contract as a result of the breach. Would that be accurate to say? Are you going to fire the contractor or the employee that created this breach issue?,” asked Representative Nancy Mace (R-SC) during the hearing.

Kofman replied that the organization is still conducting a full investigation.

“That would be a no, or an I don’t know, which is not an acceptable answer,” Mace replied.

Kofman indicated that DCHBX will provide additional information as the investigation continues.