A lawmaker on Wednesday asked DC HealthLink to explain how a data breach that affected hundreds of lawmakers and their staff in early March was caused by human error.
Mila Kofman, executive director of DC Health Link, told lawmakers her organization explained how the breach occurred and the misconfiguration of cloud servers that allowed hackers to gain access to the data. It said it was still investigating those responsible.
But her answer did not satisfy Rep. Nancy Mace, RS.C., chair of the Subcommittee on Cybersecurity, Information Technology, and Government Innovation.
“No one has been held accountable because we still don’t know who is responsible. No one has been fired or lost their contract as a result of their violation. Is it correct to say?” Mace asked Coffman.
Kofman said it was still conducting a full investigation, but was quickly interrupted by Mace, who asked if it had fired the employee responsible for the human error that caused the breach. “Are they fired?” she asked.
Kofman again dodged questions by saying it was conducting a full investigation into the information breach.
“It’s a ‘no’ or ‘I don’t know’ answer, both of which are acceptable answers,” said Mace, who was unsatisfied with the answer.
DC Health Link is the Washington, DC health insurance exchange that manages health care plans for members of Congress.
At the hearing, lawmakers said more than 56,000 people were affected by the breach, including 17 members of Congress and 585 congressional aides.
Kofman was able to identify that the server was misconfigured in mid-2018, but was unable to determine how it happened or who was responsible.
In an opening statement, Coffman said that after her organization learned of the breach, it hired a cybersecurity firm and contacted the FBI’s Cybersecurity Task Force to assist with the investigation.
Based on research, Coffman said he believed the misconfiguration was “a human error, not an intentional one.”
Kofman also told lawmakers that affected individuals have filed a lawsuit against DC Health Link.
Rep. William Timmons, R.S.C., asked Coffman how the organization would pay if it settled and whether he had insurance to cover some of the costs.
Coffman responded that her organization has a cybersecurity insurance plan and capital reserves to use as needed.
“We hope that your cybersecurity insurance is sufficient to cover what is considered damage,” Timmons said.
Coffman also apologized to lawmakers, saying he understands how personal the data breach is to them.
“It will give us a lot of information about when the server was misconfigured, why it was misconfigured, why it wasn’t detected, and all the steps leading up to this event,” Kofman said. said, referring to a survey in
“And once you’ve identified everyone who has a part of it, you’ll have a lot of information and lessons to act on so that it doesn’t happen again,” she added.
Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.