17 House members, 585 staff members affected in DC Health Link data breach

United States Capitol building in April 2023. Photo: Celal Gunes/Anadolu Agency via Getty Images

Seventeen House members and 585 congressional aides were affected by a data breach at the D.C.’s health insurance marketplace last month, the marketplace’s director will tell Congress on Wednesday.

Why it matters: Both Congress and insurance marketplace DC Health Link have been investigating the scope of the recent breach following posts on underground hacker forums selling stolen customer data.

  • Wednesday’s hearing will mark the first time both parties will discuss the findings from their investigations — including how the breach happened and the estimated scope of the incident.

Driving the news: Mila Kofman, executive director of DC Health Link, will tell the House Oversight Committee that a misconfigured cloud server allowed malicious actors to steal thousands of customers’ data in early March, according to a copy of her testimony published ahead of the hearing.

  • The breach affected 56,415 current and past customers of the health insurance exchange, and the stolen data included names, birth dates and Social Security numbers, per Kofman’s written testimony.
  • 43 family members of House lawmakers and 231 dependents of the House staff members are among those affected, as well.

The big picture: DC Health Link is just the latest organization to face a breach due to a misconfigured cloud server.

  • About two-thirds of exposed cloud storage buckets had sensitive data, according to a report from Palo Alto Networks released Tuesday.
  • “The server was misconfigured to allow access to the reports on the server without proper authentication,” Kofman will say. “Based on our investigation to-date, we believe the misconfiguration was not intentional but human mistake.”

The intrigue: Kofman’s figures are lower than what congressional aides had originally told other news outlets in the weeks leading up to the upcoming hearing.

Details: DC Health Link enlisted help from the FBI and Google-owned cyber firm Mandiant on March 6, the day the exchange first learned about the breach, Kofman will testify.

  • By March 8, Mandiant had identified the source of the breach, and DC Health Link’s security manager was able to “immediately shut it down,” she’ll add.
  • DC Health Link notified six other federal agencies about the breach, as well as three local D.C. chambers of commerce whose members enrolled in health insurance through the exchange.

What’s next: DC Health Link is still conducting its own investigation into the extent of the breach.

Sign up for Axios’ cybersecurity newsletter Codebook here