Data Breach at Washington D.C. Health Insurance Exchange
The data breach that recently impacted Washington D.C.’s health insurance exchange was the result of human error, as stated by Mila Kofman, the Executive Director of the District of Columbia Health Benefit Exchange Authority. The breach was identified in early March and led to the exposure of sensitive personal information belonging to 56,415 individuals, encompassing current and former customers, members of Congress, their dependents, and congressional staff. Compromised data included dates of birth, Social Security numbers, and contact details.
In her written testimony prepared for a congressional hearing on Wednesday, Kofman revealed that the FBI Cyber Security Task Force was swiftly engaged following the discovery of the breach. Investigators were able to trace the security vulnerability to a misconfigured computer server. This misconfiguration inadvertently allowed unauthorized individuals to access server reports without proper authentication, resulting in the theft of two reports containing clients’ personal information. Kofman emphasized that the misconfiguration was an unintentional human error.
The issue became publicly known when the stolen data was found being offered for sale on an online forum. Kofman confirmed that among those affected were 17 members of the House of Representatives, 43 of their family members, and 585 House staff members along with their dependents.
Kofman expressed her apology for the breach in her testimony but also commended her agency’s prompt response. Actions taken included swiftly addressing and rectifying the security flaw, as well as providing identity theft and credit monitoring services to those whose information was compromised.
The incident has prompted further investigation by both Congress and the DC Health Link marketplace to ascertain the full scope of the breach, which is believed to have had considerable ramifications for 17 members of the House of Representatives and 585 congressional aides. Cybercriminals had taken advantage of the breach by marketing the stolen customer data on underground hacker forums.
