Hearing Wrap Up: D.C. Health Exchange Head Struggles to Explain Huge Data Breach
WASHINGTON—Following a data breach which impacted the personally identifiable information and protected health information of tens of thousands of individuals at the D.C. Health Exchange, House Committee on Oversight and Accountability Subcommittee on Cybersecurity, Information Technology, and Government Innovation and the House Administration Committee’s Oversight Subcommittee held a joint hearing titled “Data Breach at the D.C. Health Exchange.”
During the hearing, members examined the cause of the data breach at the D.C. Health Exchange which affected individuals, Members of Congress, congressional staff, and their families. Members asked the director of the D.C. Health Benefit Exchange Authority how the breach happened, what steps are being taken to protect the exposed, and how we can ensure this never happens again. Members asked the Chief Administrative Officer for the U.S. House of Representatives about the state of data and cybersecurity standards in the House of Representatives.
Key Takeaways:
The cause of the data breach was a misconfigured server that was likely the result of human error.
- On March 6, 2023, the D.C. Health Benefit Exchange Authority (HBX) learned that the data of some of its customers on D.C. Health Link had been posted on a data breach forum.
- HBX became aware that the data breach impacted 56,415 customers, including individuals, Members of Congress, and their families. Breached data included personal information including names, date of birth, social security numbers, health plan information, and more.
- Mila Kofman, Executive Director of the D.C. Health Benefit Exchange Authority testified about the cause of the breach, “The cause of this breach is a server that was misconfigured, which allowed access to the two stolen reports without proper authentication. The investigation shows the misconfiguration was not intentional. To be clear – it was a human mistake.”
Congress needs more answers to understand exactly what happened, how actors are being held accountable, and how it can reevaluate the cybersecurity standards used by the D.C. Health Benefit Exchange.
- “We failed to prevent the theft of two reports, which had sensitive, personal information of our customers. I want you to know that we have not – and will not – fail in our response, and we’re working hard to make sure this never happens again,” Director Kofman said in her opening testimony.
The data breach highlights a risk of congressional data being collected by vendors that do not comply with House of Representatives standards.
- Catherine Szpindor, Chief Administrative Officer at the U.S. House of Representatives testified that they are taking steps to improve cybersecurity protections and ensure vendors meet House of Representatives standards.
- “We have continually improved our cybersecurity posture with the support of House leadership, we addressed staffing deficiencies and significantly increased behind the scenes improvements and capabilities to include enhanced real-time network monitoring, better malware detection tools, and improved security controls or devices and application,” Officer Szpindor said.
Member Highlights:
Subcommittee Chairwoman Nancy Mace (R-S.C.) asked for details related to what caused a compromised IP server, how HBX learned about the breach, and what actions they are taking in the aftermath to protect individuals.
Rep. Mace: “How long was the IP address exposed?
Director Kofman: “We are still investigating. The initial configuration of the server we know occurred mid-2018. […]We are doing an external investigation to identify who was involved in setting up all of the configurations, all of the settings, when that server was being integrated with Slack. Our suspicion is that it happened over time.”
Rep. Mace: “Do you all require as a company, a matter of company policy, two-factor authentication for company passwords that are used by employees or contractors?”
Director Kofman: “I will have to get back to you on what contractors are required to do.”
Rep. Mace: “Because we don’t know who’s responsible for it yet, no one’s been held accountable. No one’s been fired or lost a contract as a result of the breach. Would that be accurate to say? Are you going to fire the contractor or the employee that created this breach issue?”
Director Kofman: “We are doing a full investigation.”
Rep. Mace: “That would be a no, or an I don’t know, which is not an acceptable answer.”
House Administration Oversight Subcommittee Chairman Barry Loudermilk (R-Ga.) raised concern about the systems HBX has in place to protect against cyber-attacks and what can be done to further prevent breaches.
Rep. Loudermilk: “The majority of data leaks or cyber breaches are as the result of some form of human error. That is just known in the industry. […] When I hear that it was a mistake, human error, tells me that there were other policies that were not in place to protect against these human errors – such as two-person integrity, double checking what people were doing,”
Rep. Loudermilk also asked for a commitment to receiving more information about the breach.
Director Kofman: “You have Mandiant’s incident report. In addition to that, what I’m committing to doing is providing additional reports and information we gleaned from external independent cybersecurity experts that I’ve asked to look at our entire system.”
Rep. William Timmons (R-S.C.). inquired about what standards apply to the D.C. Health Exchange and who conducts oversight of its systems.
Rep. Timmons: “Do you think that we should reevaluate whether Members of Congress and employees should be forced to use the health exchange?
Officer Szpindor: Well, I really think that that is up to you in Congress to make an evaluation of that.”
House Administration Committee Chairman Bryan Steil (R-Wis.) warned that D.C. Health Link should be held to the same standards as vendors under the House of Representatives.
Chairman Steil: “How often is the House of Representatives the target of a cyber-attack?”
Officer Szpindor: “Every single moment of every day.”
Chairman Steil: “The breach that occurred on a vendor that doesn’t meet the House’s standards. Is that accurate? The standard that the vendor had, and the error that the vendor had, would not meet the standard that you have for vendors in the United States House of Representatives.”
Officer Szpindor: “With this current breach.”
CLICK HERE to watch the hearing.