Newly released details into the hack of DC Health Link Exchange in early March show the hack was caused by an employee error: a misconfigured server allowed access without authentication and led to the theft of two reports.
“Let me be clear at the outset: the cause of this breach was human mistake,” according to prepared testimony from Mila Kofman, executive director of the DC Health Benefit Exchange Authority, ahead of a House Oversight Committee hearing scheduled for April 19. “At no point, was the DC Health Link enrollment system breached or exposed.”
As SC Media reported, the data of congressional leaders and staff was stolen during the hack of DC Health Link, the health insurance marketplace for Washington. The Capitol Police and the insurer notified House of Representatives Chief Administrative Officer Catherine Szpindor of the “significant data breach” on March 7.
Capitol Police and the FBI were brought on to support the analysis. The early findings revealed that the personally identifiable information of thousands of health insurance enrollees may have been exposed during the incident. But the scope and source of the hack was unknown.
Kofman’s prepared testimony sheds light on those missing details.
DC Health Link first discovered the data theft on March 6, finding that the personal data of its customers were stolen and the information tied to 11 of those customers were posted on the dark web. The 11 impacted individuals “whose information was included in the threat actor’s advertisement” were notified the next day and offered three years of identity theft protection.
The FBI Cyber Security Task Force was immediately contacted for help and arrived at the DC Health Link offices that afternoon. Mandiant was also brought on to support the investigation.
Law enforcement “obtained the [two] reports” and returned them to DC Health Link on March 7.
The stolen data included information tied to 17 House members and 43 of their dependents, as well as 585 House staff members and 231 of their dependents. The source of the leak was found just two days after discovery was shut down by the security team and Mandiant on March 8.
Szpindor’s prepared testimony suggests the reports were tied to monthly “established secure data transfer protocol to pay healthcare premiums, report terminations, and fix information discrepancies” between DC Health link and the CAO. “The secure data transfer protocol is outlined and solidified between the two entities in an interconnection security agreement.”
However, CAO “does not operate nor have involvement in the security measures used to protect the DC Health Link system,” explained Szpindor.
During the review of the stolen reports, the security team and Mandiant “identified data that was stored in the same manner as the two stolen reports,” Kofman wrote. The discovery led DC Health Link to provide those customers with the same identity theft and credit monitoring protection as the initial group of affected customers.
The official incident response report was finished by Mandiant on April 14, but DC Health Link is continuing to investigate. Kofman’s testimony stressed that, “ With respect to the ‘root cause’: the problem here related to the configurations on a server used for generating and storing automated jobs and weekly reports.”
“Based on our investigation to-date, we believe the misconfiguration was not intentional but human mistake,” Kofman added. The findings confirmed that the mistake was “made in setting up a server used for storing and transmitting reports that were being used for business purposes.”
Kofman also stressed the strength of DC Health Link’s cybersecurity program, as it uses similar tools used by federal agencies and has “successfully repelled attacks on our network and site” in the past.
In response to the exposure, DC Health Link has implemented numerous remediation measures, as it continues to work with an outside firm to bolster its security.