The DC Health Link data breach was due to human error

WASHINGTON (AP) — The recent breach of the personal data of thousands of users of the Washington health insurance exchange, including members of Congress, was caused by basic human error, according to a top administrator.

The revelation comes from prepared statements submitted ahead of Wednesday’s congressional hearing to investigate the matter. In a statement, Mila Coffman, executive director of the D.C. Office of Health Benefits Exchange, said the data breach was first discovered in early March and involved basic personal information — including date of birth, Social Security number and contact information – for “56,415 current and past customers, including members of Congress, their families and staff.”

Coffman said her office immediately involved the FBI’s Cybersecurity Task Force, and the security breach was quickly traced to a specific computer server that was “improperly configured to allow access to the server’s reports without proper authentication.” Based on our investigation to date, we believe the misconfiguration was not intentional, but human error.

This security breach allowed an unidentified hacker to steal two reports that contained the customer’s information – some of which were later offered for sale on an online forum. The issue first came to public attention when members of the House and Senate were informed that they and their staff may have been affected.

Coffman said the stolen data “included that of 17 members of the House and 43 of their dependents, as well as 585 members of the House staff and their 231 dependents.”

In her testimony, Coffman apologized for the breach but praised her agency’s response after the leak was discovered — identifying and closing the security breach and offering immediate identity theft and credit monitoring protection for those affected.

“We are not running away from this violation. We have been and remain committed to being open and transparent,” Coffman’s testimony said.

On Wednesday. the House Oversight Subcommittee on Cybersecurity, Information Technology and Government Innovation will question Coffman and House Chief Administrative Officer Kathryn Spindor in a joint session with the House Committee on Oversight Subcommittee.

The subcommittee’s two chairmen, Reps. Nancy Mays (R-South Carolina) and Barry Loudermilk (R-Georgia), said in a joint statement last week that “The DC Health data breach put thousands of people at risk, including members of Congress , Congressional staff and family members. People who trusted the DC Health Exchange to keep their personal health information secure are rightly concerned about the potential impact of this breach on their privacy. They rely on us to investigate how it happened, how it could have been avoided, how the impact can be mitigated and how to prevent a recurrence.

The hearing comes in the broader context of a sweeping effort by the Republican-held House of Representatives to increase its oversight of D.C. government. Congress has already repealed the District of Columbia’s rewrite of the criminal code — which passed the Senate with significant Democratic support. This week, the House will also vote on a police reform bill passed by the D.C. Council last year, although the move has bleaker prospects in the Senate and President Joe Biden has already said he would veto it if necessary.


AP technology writer Frank Bajak in Boston contributed to this report.

Leave a Comment

Your email address will not be published. Required fields are marked *