Connect with us

Hi, what are you looking for?


Data Breaches

House Committee Hears Testimony on DC Health Data Breach

A top administrator with Washington’s health insurance exchange apologized to House members on Wednesday for the data breach that resulted in the disclosure of personal information for thousands of users.

A top administrator with Washington’s health insurance exchange apologized to House members on Wednesday for the data breach that resulted in the disclosure of personal information for thousands of users, including members of Congress.

The leak was the result of human error, Mila Kofman, executive director of the District of Columbia Health Benefit Exchange Authority, told a joint session of two House Oversight subcommittees.

She said a server was incorrectly configured in mid-2018 when they installed the internal communications program Slack. That faulty configuration allowed an unauthorized individual to access the server and steal two reports containing personal information of “56,415 current and past customers including members of Congress, their families, and staff.”

Some of that information was later offered up for sale in an online forum. The issue first came to public attention when members of the House of Representatives and the Senate were informed that they and their staffers may have been affected.

Kofman repeatedly apologized for the mistake, but she praised her agency’s reaction once the breach was discovered in early March. She said outside experts and the FBI Cyber Security Task Force were brought in to quickly identify and shut down the security flaw. And those potentially impacted by the leak were immediately offered identity theft and credit monitoring protection, she said.

“We will not fail in our response,” Kofman told the committee.

Rep. Nancy Mace, R-S.C. praised the agency’s reaction, telling Kofman, “from a crisis standpoint, the response was excellent.”

Advertisement. Scroll to continue reading.

However, Mace took exception to what she called an “unacceptable” lack of detail on who exactly was responsible and whether that employee or contractor had been punished or fired.

“We want to know who is responsible and we want to know how those responsible are being held accountable,” she said.

Mace also criticized a report by the cyber-security firm Mandient, which helped identify the security flaw — saying it was thin on crucial details. Mace called the report “pretty lame and uninformed.”

Rep. Bryan Steil, R-Wis., wondered if the seven-page report was some sort of early draft, calling it “wildly underwhelming if that’s the final report.”

And Rep. Barry Loudermilk, R-Ga., a former IT professional, said Kofman’s entire testimony shed very little light on when exactly the data theft took place or who exactly was responsible.

“I have become more confused sitting here today as to what happened. I thought this would be clarifying,” he said.

The hearing comes in the larger context of a sweeping effort by the Republican-held House of Representatives to increase their oversight on the government of the District of Columbia. Congress has already overturned a rewrite of the D.C. criminal code — which passed the Senate with significant Democratic support.

The House on Wednesday also passed a resolution to overturn a police reform law passed by the D.C. Council last year, although that move has murkier prospects in the Senate and President Joe Biden has already said he would veto it, if necessary.

Related: Data Breach at Independent Living Systems Impacts 4 Million Individuals

Related: Latitude Financial Services Data Breach Impacts 300,000 Customers

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Data Breaches

A group of hackers has leaked Atlassian employee records and floorplans, information that was obtained from third-party workplace platform Envoy.

Data Breaches

AT&T is notifying millions of wireless customers that their CPNI was compromised in a data breach at a third-party vendor.


Instant Checkmate and TruthFinder have disclosed data breaches affecting a total of more than 20 million users.

Data Breaches

Health services company Independent Living Systems has disclosed a data breach that impacts more than 4 million individuals.