The head of D.C. Health Link will tell Congress on Wednesday that 17 members of the House and 585 staffers were among the tens of thousands of victims of last month’s data breach at the local health insurance marketplace.
According to a copy of the testimony she’ll give to a joint session of the House panels on Administration and Oversight and Accountability, Mila Kofman, the executive director of the D.C. Health Benefit Exchange, the Washington, D.C., agency that runs the marketplace, will detail how the breach occurred and how widely it spread across Congress.
Kofman will say that a review by the threat-intelligence firm Mandiant found that a cloud server was misconfigured to allow access to the exchange’s weekly reports without user authentication. These settings, she’ll tell lawmakers, were not malicious, but the result of human error.
“Let me be clear at the outset: the cause of this breach was human mistake,” Kofman’s testimony reads.
D.C. Health Link was created as a result of the 2010 Affordable Care Act, allowing city residents who do not have employer-provided health insurance to purchase plans. Members of Congress and their staffs are also required to obtain their health coverage through one of the Obama-era law’s exchanges, making D.C.’s program a popular option on Capitol Hill.
The D.C. Health Benefit Exchange learned of the breach March 6 when it learned that unauthorized individuals had gained access to its files and posted 11 records on BreachForums, a popular site for cybercriminals to buy and sell stolen data. A site member eventually posted a volume containing more than 67,500 unique D.C. Health Link records.
CyberScoop reported last month that the Health Benefit Exchange sent breach notification letters to 56,415 customers — a figure that included 21 members of Congress, as well as tens of thousands more residents of the nation’s capital. Along with the 17 House members and 585 staffers, the victims include 43 lawmakers’ dependents and 231 staff dependents.
According to Kofman’s testimony, the breach was sealed up March 8. Her agency proceeded to notify a half-dozen federal agencies and obtain three years of credit monitoring for breach victims. Mandiant finished its review last Friday, and the firm’s findings are expected to be discussed during Wednesday’s hearing.
BreachForums shut down last month when the FBI arrested a 20-year-old man suspected of running the site from his parents’ house in Upstate New York.