DC Health Link's data breach was caused by a misconfigured server, according to a prepared statement by an executive for the health insurance exchange at a House Oversight Committee hearing on Wednesday.
DC Health Link, a health insurance exchange program based in Washington, D.C., confirmed it suffered a data breach last month after a user on dark web hacking forum BreachForums offered to sell stolen data representing 170,000 individuals.
The user who originally posted the data, "IntelBroker," was permanently banned from BreachForums following the listing. However, on March 13, another user in apparent possession of the data under the alias "Denfur" claimed to be friends with IntelBroker and said the origin of the breach was an "open, exposed database."
On March 15, BreachForums' alleged founder was arrested in New York, and the forum was voluntarily shuttered days after due to law enforcement concerns. No definitive connection to DC Health Link was established.
Mila Kofman, executive director of the District of Columbia Health Benefit Exchange Authority, which operates the exchange, participated in a hearing on Wednesday. The hearing was held by the U.S. House Oversight and Accountability Subcommittee on Cybersecurity, Information Technology, and Government Innovation as well as the Committee on House Administration's Subcommittee on Oversight.
During her opening statements, Kofman confirmed DC Health Link detected the breach on March 6 and that the cause of the breach was a misconfigured server.
"Let me be clear at the outset: The cause of this breach was human mistake," Kofman said. "With respect to the 'root cause' -- the problem here related to the configurations on a server used for generating and storing automated jobs and weekly reports. The server was misconfigured to allow access to the reports on the server without proper authentication. Based on our investigation to date, we believe the misconfiguration was not intentional but human mistake."
As part of the breach, the threat actor stole two "reports" representing sensitive data belonging to "56,415 current and past customers, including members of Congress, their families and staff," Kofman said. Among the victims were 17 House members, 43 of their dependents, 585 House staff members and 231 of their dependents. Personal information included names, dates of birth and social security numbers.
According to the exchange's website, approximately 100,000 individuals have private health insurance through the public-private exchange, including D.C.-area residents and "approximately 11,000 designated Congressional staff and members of Congress."
TechTarget Editorial asked DC Health Link about the discrepancy between the alleged 170,000-person listing and Kofman's 56,415 figure, but a spokesperson for the exchange declined to elaborate.
Kofman apologized directly to the committees during her opening remarks.
Mila KofmanExecutive director, District of Columbia Health Benefit Exchange Authority
"In addition to saying how sorry I am that we failed to prevent the theft of two reports which had sensitive personal information of our customers, I want you to know that we have not and will not fail in our response. And we are working hard to make sure this never happens again," she said.
DC Health Link engaged incident response firm and Google subsidiary Mandiant as part of its investigation. Kofman added that the Health Benefit Exchange Authority also engaged the FBI Cyber Security Task Force shortly after the breach. It further briefed law enforcement, CISA, both the U.S. Senate and House of Representatives, and more.
"We asked law enforcement for help immediately and shared information as we uncovered it," she said. "Mandiant quickly worked alongside our team to identify the root cause of the breach, which we immediately eliminated. In addition to addressing this issue, we initiated a comprehensive review of our entire system and security, and we will be making enhancements across the board and can keep you updated on that progress."
Alexander Culafi is a writer, journalist and podcaster based in Boston.