United States Capitol building in April 2023. Photo: Celal Gunes/Anadolu Agency via Getty Images
Seventeen House members and 585 congressional aides were affected by a data breach at the D.C.’s health insurance marketplace last month, the marketplace’s director will tell Congress on Wednesday.
Why it matters: Both Congress and insurance marketplace DC Health Link have been investigating the scope of the recent breach following posts on underground hacker forums selling stolen customer data.
- Wednesday’s hearing will mark the first time both parties will discuss the findings from their investigations — including how the breach happened and the estimated scope of the incident.
Driving the news: Mila Kofman, executive director of DC Health Link, will tell the House Oversight Committee that a misconfigured cloud server allowed malicious actors to steal thousands of customers’ data in early March, according to a copy of her testimony published ahead of the hearing.
- The breach affected 56,415 current and past customers of the health insurance exchange, and the stolen data included names, birth dates and Social Security numbers, per Kofman’s written testimony.
- 43 family members of House lawmakers and 231 dependents of the House staff members are among those affected, as well.
The big picture: DC Health Link is just the latest organization to face a breach due to a misconfigured cloud server.
- About two-thirds of exposed cloud storage buckets had sensitive data, according to a report from Palo Alto Networks released Tuesday.
- “The server was misconfigured to allow access to the reports on the server without proper authentication,” Kofman will say. “Based on our investigation to-date, we believe the misconfiguration was not intentional but human mistake.”
The intrigue: Kofman’s figures are lower than what congressional aides had originally told other news outlets in the weeks leading up to the upcoming hearing.
Details: DC Health Link enlisted help from the FBI and Google-owned cyber firm Mandiant on March 6, the day the exchange first learned about the breach, Kofman will testify.
- By March 8, Mandiant had identified the source of the breach, and DC Health Link’s security manager was able to “immediately shut it down,” she’ll add.
- DC Health Link notified six other federal agencies about the breach, as well as three local D.C. chambers of commerce whose members enrolled in health insurance through the exchange.
What’s next: DC Health Link is still conducting its own investigation into the extent of the breach.
Sign up for Axios’ cybersecurity newsletter Codebook here