A data breach affecting DC Health Link, Washington D.C.'s health insurance exchange, was the result of a misconfigured server, according to an executive’s statement at a recent U.S. House Oversight Committee hearing.

Last month, DC Health Link confirmed it had experienced a breach after information for approximately 170,000 individuals was put up for sale on a dark web forum. The breach originated from a server that was misconfigured, allowing reports stored on it to be accessed without proper authentication.

“The cause of this breach was human mistake,” said Mila Kofman, executive director of the District of Columbia Health Benefit Exchange Authority, during her congressional testimony. Kofman explained that an error in server configurations enabled unauthorized access to sensitive information, including names, dates of birth, and social security numbers for 56,415 current and past customers. This affected members of Congress, their families, staff, and other individuals insured through the program.

The breach led to the theft of two reports containing the sensitive data. Kofman offered an apology during her opening remarks, stating that while the exchange failed to prevent the incident, they are committed to strong incident response and future prevention measures.

Let me be clear at the outset: The cause of this breach was human mistake.
Mila Kofman, executive director, D.C. Health Benefit Exchange Authority

Following the breach, DC Health Link enlisted the help of cybersecurity firm Mandiant and engaged the FBI Cyber Security Task Force. Law enforcement, CISA, and both houses of Congress have been briefed as part of ongoing efforts to address the situation and improve security across the system.