The benefit exchange’s director testified before a House Committee on the ongoing investigation into a data breach exposing DC residents’ and lawmakers’ data.
Leadership from the beleaguered DC Health Benefit Exchange Authority, the governing body of DC Health Link—the health insurance entity that suffered a cyberattack that left personal information from lawmakers and Capitol Hill staffers exposed—testified before a House committee on Wednesday, clarifying that it was human error that led to the breach.
DC Health Benefit Executive Director Mila Kofman explained to the House Administration Subcommittee on Oversight that a misconfigured server led to sensitive personal information from a total of 56,415 current and past customers, including 17 sitting members of Congress, to be leaked.
“The cause of this breach is a server that was misconfigured, which allowed access to the two stolen reports without proper authentication,” Kofman said. “The investigation shows the misconfiguration was not intentional. To be clear: it was a human mistake.”
She further added that once learning of the breach, which occurred in early March, the agency immediately reached out to FBI resources and cybersecurity consultant firm Mandiant to assess the fallout from the cyber attack and find the source of the breach.
The specific misconfiguration within DC Health Link was an exposed IP address. Kofman told Chairwoman Nancy Mace, R-S.C., that the IP address was found to have been exposed beginning in 2018.
Kofman added that the investigation now centers on who was involved in designing these configurations and may bear responsibility for the breach.
“We're doing an external investigation to identify who was involved in setting up all of the configurations, all of the settings,” she said. “Our suspicion is that it happened over time.”
Committee members were broadly critical of DC Health Link’s foundational cybersecurity policies. Rep. Barry Loudermilk, R-Ga., stated that the bulk of data leaks or cyber attacks are the result of human error, which indicates a lax cybersecurity posture.
“When I hear that it was a mistake––human error––tells me that there are other policies that were not in place to protect against these human errors,” he said.
Kaufman said that she is “committed” to keeping Congress and victims of the hack updated regarding the results of the ongoing investigation, including reviewing the system’s firewalls, software code and security configurations.
“I'm committing to providing you [House Administration Subcommittee] with updates on what we learned from external experts we've hired and all the steps that we're taking to make sure this never happens again,” she said.