DC Health Link Data Breach Caused by Human Error
Further information has been released on the data breach at the Washington DC health insurance exchange, DC Health Link, ahead of a House Oversight Committee’s subcommittee on cybersecurity, information technology, and government innovation hearing today.
The HIPAA data breach was detected by DC Health Link on March 6, 2023, Mandiant was engaged to investigate the data breach, and by March 8 the source of the breach had been identified, and it was immediately shut down; however, files were stolen and some of the compromised information was listed for sale on an online hacking forum. DC Health Link has offered complimentary credit monitoring and identity theft protection services to affected individuals. Mila Kofman, executive director of DC Health Link, said the internal investigation into the data breach is ongoing; however, she was able to share further information about the security incident and data breach and will be discussing the findings of Mandiant’s investigation at today’s hearing.
Last week, the two chairs of the subcommittee, Reps. Nancy Mace (R-South Carolina) and Barry Loudermilk (R-Georgia), issued a joint statement ahead of the hearing. “The breach of D.C. Health link data put thousands of individuals at risk, including Members of Congress, congressional staff, and family members. The individuals who trusted the D.C. health exchange to keep their personal health data secure are rightly concerned about the potential consequences of this breach on their personal lives. They are relying on us to investigate how it took place, how it could have been avoided, how the fallout can be mitigated, and how to prevent a recurrence.”
In a prepared statement submitted ahead of the hearing, Kofman confirmed that 56,415 current and former customers were affected, including members of Congress, their families, and Congressional aides. Two reports were stolen that included the personal data of 17 members of Congress, 43 of their dependents, 585 staffers, and 231 of their dependents. The compromised information included basic personal information, contact information, dates of birth, and Social Security numbers.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The hacker was able to gain access to data due to a security flaw, which Kofman says was introduced due to human error. A cloud server had been misconfigured, which allowed the reports to be accessed without authentication. The misconfiguration of cloud storage buckets is commonplace, with one report from Palo Alto Networks suggesting around two-thirds of exposed cloud servers contain some sensitive data. Kofman apologized for the breach and said DC Health Link rapidly investigated the incident and shut down access. “We are not shying away from this breach. We have been and remain committed to being open and transparent,” said Kofman in her prepared statement.
