Skip to content

Lawmakers ‘scratching their heads’ at lack of answers on health breach

Misconfigured server gave hackers access to personal data

Rep. Barry Loudermilk, R-Ga., said a the breach of personal data left the congressional community "in shock."
Rep. Barry Loudermilk, R-Ga., said a the breach of personal data left the congressional community "in shock." (Bill Clark/CQ Roll Call file photo)

House members on Wednesday demanded accountability for a health care data breach in which personal information of more than a dozen lawmakers, hundreds of staff members and their dependents was posted online.

The breach was the result of human error, according to Mila Kofman, executive director of the District of Columbia Health Benefit Exchange Authority. Kofman’s agency oversees DC’s health insurance marketplace, DC Health Link, which was hacked in March.

A server containing the personal information was misconfigured in a way that allowed access without proper authentication, Kofman said at a House hearing.

That misconfiguration — described as an exposed IP address — allowed hackers to access the system and unearth the personal data of at least 56,415 past and current customers, including 17 members of the House, 43 of their dependents and 585 House staff members and 231 of their dependents, Kofman testified Wednesday at a joint hearing of House Administration and House Oversight and Accountability subcommittees.

“The fact that such a breach was able to occur left our congressional community in shock,” said House Administration Oversight Subcommittee Chair Barry Loudermilk, R-Ga.

The breach resulted in the “theft, sale and public posting,” of personal information, according to Rep. Nancy Mace, R-S.C., who chairs the House Oversight Cybersecurity, Information Technology and Government Innovation Subcommittee, which hosted the hearing along with Loudermilk’s panel. 

At least two class-action lawsuits have been filed on behalf of impacted individuals, one of which alleges that more than 500,000 enrollees may have been impacted.

Apologetic tone

Kofman struck an apologetic tone in her first appearance in Congress since the breach, but deflected some of the more difficult questions aimed at her. An investigation is ongoing, she said, to determine the full scope of the breach, who is responsible, how long data may have been exposed. The server in question was misconfigured in 2018, but may not have been vulnerable for that entire time, Kofman said.

“Once we identify everyone who had any part in it, we’re going to have lots of information to act on and lessons to make sure it never, ever happens again,” Kofman said. Mace said that the responsible parties should be fired.

Mace and Loudermilk both expressed frustration at a relative lack of answers, even after the submission to members of a report by the third-party cybersecurity firm Mandiant, which was brought in to aid in the investigation. Committee on House Administration Chair Bryan Steil, R-Wis., called the Mandiant report “wildly underwhelming,” and Loudermilk, who said representatives from Mandiant declined to appear at the hearing, said it left lawmakers “scratching their heads.”

He also questioned the explanation provided. An exposed IP address alone would not have created an exploitable server, according to Loudermilk, who said he spent 30 years in the information systems industry before coming to Congress.

“There had to be some other vulnerability that was exploited on that server,” he said.

The names, Social Security numbers, birthdates, addresses, email addresses and phone numbers of enrollees were accessed in the breach, according to the DC Health Benefit Exchange Authority. At least some of that information was posted on online forums.

The DC Health Benefit Exchange Authority became aware of the breach March 6 and immediately asked an FBI cybersecurity task force for help, Kofman testified. The scope of the breach became clearer by March 7 and by the following day, March 8, Mandiant identified its source and, with the agency’s security manager, shut it down, Kofman said. That same day, members and staff were notified of the breach by the office of House Chief Administrative Officer Catherine Szpindor, who also testified Wednesday. 

Credit monitoring offered

Kofman defended her agency’s response — Mace, too, applauded the effort — and noted it will provide three years of identity theft and credit monitoring protection to all DC Health Link customers, their dependents and children.

She said the health care exchange will be “making enhancements across the board” and is continuing to work with cybersecurity experts to investigate the breach and bolster security.

“I want to say how sorry I am. I know this is personal for many of you, many of your colleagues and many staff members,” Kofman said. “We failed to prevent the theft of two reports which had sensitive personal information of our customers. I want you to know that we have not and will not fail in our response and we are working hard to make sure this never happens again.”

Recent Stories

Key results from Georgia runoff, Virginia and Oklahoma primaries

CBO: Deficits and inflation higher, but so is economic growth

Senate Democrats try maneuver to pass ban on ‘bump stocks’

Senate report piles on new allegations of Boeing safety failures

Matt Gaetz goes on offensive as House Ethics offers update on probe

Senate spectrum bill markup scrapped over partisan differences