Connect with us

Hi, what are you looking for?


Data Breaches

DC Health Link Data Breach Blamed on Human Error

The recent data breach of personal information for thousands of users of Washington D.C.’s health insurance exchange, including members of Congress, was caused by basic human error

The recent data breach of personal information for thousands of users of Washington D.C.’s health insurance exchange, including members of Congress, was caused by basic human error, according to a top administrator.

The revelation comes from prepared statements submitted in advance of Wednesday’s congressional hearing to investigate the issue. In her statement, Mila Kofman, Executive Director of the District of Columbia Health Benefit Exchange Authority, states that the data breach was first discovered in early March and includes basic personal information — including date of birth, Social Security numbers and contact information — for “56,415 current and past customers including members of Congress, their families, and staff.”

Kofman states her office immediately brought in the FBI Cyber Security Task Force and the security flaw was quickly tracked down to a particular computer server that was “misconfigured to allow access to the reports on the server without proper authentication. Based on our investigation to-date, we believe the misconfiguration was not intentional but human mistake.”

This security flaw enabled an unidentified hacker to steal two reports that contained the client information — some of which was later offered up for sale in an online forum. The issue first came to public attention when members of the House of Representatives and the Senate were informed that they and their staffers may have been affected.

Kofman states that the stolen data “included that of 17 Members of the House and 43 of their dependents, and 585 House staff members and of their 231 dependents.”

In her testimony Kofman apologizes for the breach, but praises her agency’s response once the leak was detected — identifying and shutting down the security flaw and offered immediate identity theft and credit monitoring protection for those impacted.

“We are not shying away from this breach. We have been and remain committed to being open and transparent,” Kofman’s testimony states.

Advertisement. Scroll to continue reading.

On Wednesday. the House Oversight Committee’s subcommittee on cybersecurity, information technology, and government innovation will question Kofman and Catherine Szpindor, the chief administrative officer for the House of Representatives in a joint session with the Committee on House Administration’s oversight subcommittee.

The two subcommittee chairs, Reps. Nancy Mace (R-South Carolina) and Barry Loudermilk (R-Georgia), said in a joint statement last week that, “The breach of D.C. Health link data put thousands of individuals at risk, including Members of Congress, congressional staff, and family members. The individuals who trusted the D.C. health exchange to keep their personal health data secure are rightly concerned about the potential consequences of this breach on their personal lives. They are relying on us to investigate how it took place, how it could have been avoided, how the fallout can be mitigated, and how to prevent a recurrence.”

The hearing comes in the larger context of a sweeping effort by the Republican-held House of Representatives to increase their oversight on the government of the District of Columbia. Congress has already overturned a rewrite of the D.C. criminal code — which passed the Senate with significant Democratic support. This week the House will also vote on a police reform law passed by the D.C. Council last year, although that move has murkier prospects in the Senate and President Joe Biden has already said he would veto it, if necessary.

Related: Data Breach at Independent Living Systems Impacts 4 Million Individuals

Related: Latitude Financial Services Data Breach Impacts 300,000 Customers

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Data Breaches

A group of hackers has leaked Atlassian employee records and floorplans, information that was obtained from third-party workplace platform Envoy.

Data Breaches

AT&T is notifying millions of wireless customers that their CPNI was compromised in a data breach at a third-party vendor.


Instant Checkmate and TruthFinder have disclosed data breaches affecting a total of more than 20 million users.

Data Breaches

Health services company Independent Living Systems has disclosed a data breach that impacts more than 4 million individuals.