DC Health Link confirms breach, but questions remain

A recent disclosure of a data breach at public health insurance marketplace DC Health Link raised questions about how the service was initially compromised.

DC Health Link is a public-private healthcare exchange program for Washington, D.C., residents operated by the DC Health Benefit Exchange Authority (DCHBX). According to its website, "Approximately 100,000 people have private health insurance through DC Health Link and this includes more than 5,000 District small businesses, approximately 11,000 designated Congressional staff and Members of Congress, and thousands of District residents."

The breach was first reported last week when U.S. House of Representatives members revealed that personal health data relating to themselves, their families and their staff members was compromised in a breach against the exchange.

Although the exchange broadly confirmed the attack to press at the time, DCHBX gave its first significant public-facing statement Friday via Twitter and a pop-up advisory on the DC Health Link website. The organization said it immediately launched an investigation on March 6 after learning of the incident, and began working with law enforcement and Google-owned incident response firm Mandiant.

According to the statement, 56,415 customers were affected. Compromised data included customer names, Social Security numbers, dates of birth, genders, health plan information, employer information and enrollee information. The statement noted that not every customer necessarily had information from every possible data field stolen.

Update on the recent data breach pic.twitter.com/3ag25P0hm0

— DC Health Link (@DCHealthLink) March 10, 2023

As part of its response, the DCHBX executive board said it would reach out to affected enrollees to offer three years of credit and identity monitoring for "all three major credit bureaus." The service would further be offered to all enrolled dependents, spouses and children of affected customers, as well as customers who were not directly affected by the data breach.

"While this remains an ongoing investigation, our services are running normally and we continue to operate in a state of heightened alert," the statement read.

Despite these new details, questions remain regarding the nature of the data breach as well as the attack vector the threat actors used.

UPDATE 3/14: The attack vector for the DC Health Link breach may have been an exposed database, according to a dark web forum post by an individual in apparent possession of the data.

On March 6, a user on a well-known dark web hacking forum under the alias "IntelBroker" offered stolen DC Health Link data allegedly representing data from 170,000 individuals for an undisclosed amount of the cryptocurrency Monero. IntelBroker was permanently banned by the forum following these posts.

On Monday evening, another user under the alias "Denfur," who claimed to be friends with IntelBroker and who had previously published data samples from the breach, posted an update attempting to clarifying the situation.

First reported by CyberScoop, Denfur's post said the original attack vector for the breach was an "open, exposed database" that required no verification to access. Moreover, the poster said that "to our estimates, the database was most likely exposed for over a year and a half before the breach occurred."

"This leak could have been avoidable if [DC Health Link] would have had the integrity to lock down the machines that are holding user records," Denfur wrote, ending his posts with "Glory to Russia!".

TechTarget Editorial contacted DC Health Link regarding Denfur's statements, but a spokesperson declined, sharing Friday's statement instead.

DC Health Link, according to recent reporting, uses AWS for its cloud hosting needs. According to an AWS case study, DC Health Link initially faced scalability issues from using commercial off-the-shelf products to run the exchange when it launched in 2013. In 2015, it began migrating its IT systems from data centers to an AWS-powered cloud model "using open-source code with no licensing fees."

It is unknown if DC Health Link was using a cloud model at the time of the breach, though DCHBX was recognized by AWS multiple times for the cloud provider's City on a Cloud Innovation Challenge; the exchange earned AWS' Best Practices Award in 2016 and 2018, and won the Sustainability and Equity Award in 2019.

It's unclear how the attacker gained access to DC Health Link's data, but misconfigured S3 buckets that accidentally expose sensitive data have been a problem for AWS customers for several years. While AWS made several changes to curb accidental data exposures, including blocking public access to S3 buckets by default in 2018, misconfigured cloud resources are still an issue for organizations across various cloud provider platforms.

Security vendors have observed a recent rise in attacks on cloud services and platforms; CrowdStrike said in its "Global Threat Report" last month that cloud exploitation cases increased by 95% over the course of 2022. In addition, the security vendor said it tracked a threefold increase in attacks against cloud environments by "cloud-conscious" threat actors.

Similarly, attacks using open source code have become increasingly common in recent years. The now-infamous Log4Shell exploit, for example, occurred due to vulnerabilities in open source Java logging framework Log4j.

TechTarget Editorial asked DC Health Link about its use of AWS, as well as whether the customers' private health data was encrypted. DC Health Link has not responded as of press time.

Alexander Culafi is a writer, journalist and podcaster based in Boston.