WASHINGTON - Following a data breach that impacted the Personal Identifiable Information (PII) and Protected Health Information (PHI) of tens of thousands of individuals at the D.C. Health Benefit Exchange Authority (HBX), the House Administration Committee's Subcommittee on Oversight and the Committee on Oversight and Accountability's Subcommittee on Cybersecurity, Information Technology, and Government Innovation held a joint hearing entitled “Data Breach at the D.C. Health Exchange.”

During the hearing, members pressed HBX on the cause of the data breach which affected individuals, Members of Congress, congressional staff, and their families. Executive Director of HBX Mila Kofman and Chief Administrative Officer (CAO) for the U.S. House of Representatives Catherine Szpindor, testified. 
Key Takeaways:

The cause of the data breach was a misconfigured server that was likely the result of human error:
 

  • On March 6, 2023, HBX discovered the data of some of its customers in D.C. Health Link had been posted on a data breach forum. The personal information, including names, date of birth, social security numbers, health plan information, and place of residence of more than 56,000 individuals was exposed.
  • Ms. Kofman testified about the breach: “The cause of this breach is a server that was misconfigured, which allowed access to the two stolen reports without proper authentication. The investigation shows the misconfiguration was not intentional. To be clear – it was a human mistake.”


Congress needs more answers to understand exactly what happened, how actors are being held accountable, and how it can reevaluate the cybersecurity standards used by HBX:
 

  • Ms. Kofman: “We failed to prevent the theft of two reports, which had sensitive, personal information of our customers. I want you to know that we have not – and will not – fail in our response, and we’re working hard to make sure this never happens again."

HBX hired cybersecurity firm Mandiant to produce a forensic report, yet very little was revealed:
  
  • Chairman Loudermilk: "That 7-page report was shared with us on Friday, and while we were hoping it would provide more clarity, we were left scratching our heads. We still do not know who is behind the attack. We still do not know if the data is for sale on other areas of the dark web. We still do not know how much data the hacker accessed. And we still do not know exactly how this was able to occur. However, the report largely blames Amazon Web Services when, interestingly enough, Mandiant is a subsidiary of Google, one of AWS’s largest competitors. While we invited representatives from Mandiant to come and testify today and answer some of our questions, they declined."  


The data breach highlights a risk of congressional data being collected by vendors that do not comply with House of Representatives standards:
 

  • Ms. Szpindor testified they have rigorous and vigorous steps to ensure cybersecurity and hold vendors to those same standards. HBX failed to meet those.
  • Ms. Szpindor: “We have continually improved our cybersecurity posture with the support of House leadership, we addressed staffing deficiencies and significantly increased behind-the-scenes improvements and capabilities to include enhanced real-time network monitoring, better malware detection tools, and improved security controls or devices and application."

Member Highlights:

Committee on House Administration's Oversight Subcommittee Chairman Barry Loudermilk (GA-11) raised concern about the systems HBX has in place to protect against cyberattacks and questioned what they are doing to prevent further breaches:

Chairman Loudermilk: “The majority of data leaks or cyber breaches are as the result of some form of human error. That is just known in the industry.

"When I hear that it was a mistake, human error, tells me that there were other policies that were not in place to protect against these human errors – such as two-person integrity, double checking what people were doing."

Chairman Loudermilk also asked for a commitment to receiving more information about the breach.

Ms. Kofman: “You have Mandiant’s incident report. In addition to that, what I’m committing to doing is providing additional reports and information we gleaned from external independent cybersecurity experts that I’ve asked to look at our entire system, to your point of processes policies, looking at the entire AWS environment that we're in, looking at our firewalls, our code, our configurations. I'm committing to providing you with updates on what we learned from external experts we've hired and all the steps that we're taking to make sure this never happens again. We have tried, and I hope you recognize this, to be as transparent as possible."

Chairman Loudermilk: "We appreciate your transparency with us; we don't appreciate the transparency with the hackers."

Click here to view Chairman Loudermilk's full questioning. 

Committee on Oversight and Accountability's Subcommittee on Cybersecurity, Information Technology, and Government Innovation Chair Nancy Mace (SC-01) press HBX on what caused the compromised IP server and how they are correcting their mistake:

Chair Mace: “How long was the IP address exposed.

Ms. Kofman: “We are still investigating. The initial configuration of the server we know occurred mid-2018.

"We are doing an external investigation to identify who was involved in setting up all of the configurations, all of the settings, when that server was being integrated with Slack. Our suspicion is that it happened over time.”

Chair Mace: “Do you all require as a company, a matter of company policy, two-factor authentication for company passwords that are used by employees or contractors?”

Ms. Kofman: “I will have to get back to you on what contractors are required to do.”

Chair Mace: “Because we don’t know who’s responsible for it yet, no one’s been held accountable. No one’s been fired or lost a contract as a result of the breach. Would that be accurate to say?  Are you going to fire the contractor or the employee that created this breach issue?"

Ms. Kofman: “We are doing a full investigation."

Chair Mace: “That would be a 'no', or an 'I don’t know', which is not an acceptable answer.”

Click here to view Chair Mace's full questioning.

House Administration Committee Chairman Bryan Steil (WI-01) noted HBX should be held to the same standards as other vendors under the House of Representatives:

Chairman Steil: “How often is the House of Representatives the target of a cyber-attack?"

Ms. Szpindor: “Every single moment of every day.”
...
Chairman Steil: “The breach that occurred on a vendor that doesn’t meet the House’s standards. Is that accurate? The standard that the vendor had, and the error that the vendor had, would not meet the standard that you have for vendors in the United States House of Representatives, right?”

Ms. Szpindor: “With this current breach.”

Chairman Steil: "As the Chief Information Officer of the House and the current CAO, knowing what you do about cybersecurity practices in the D.C. Health Exchange Authority and the vulnerability that led to this breach, would you recommend D.C. Health Exchange Authority as a secure vendor with which the House could confidently do business?"

Ms. Szpindor: "I'm not sure that I can recommend them if we were doing an evaluation today."

Chairman Steil: "They're below your standards, so I can't fathom you'd recommend them. If you did an evaluation today of the standard that existed before the breach, would they pass or fail? They'd fail, right?"

Ms. Szpindor: "Right."

Chairman Steil: "But members are still doing business with the D.C. Health Exchange today. I'll tell you, as Chairman of the Committee on House Administration, I look forward to working toward solutions to ensure that we serve this institution and we're not in this position ever again."

Click here to view Chairman Steil's full questioning.

Rep. William Timmons (SC-04) inquired about what standards apply to HBX and who conducts oversight of its systems:

Rep. Timmons: “Do you think that we should reevaluate whether Members of Congress and employees should be forced to use the health exchange?"

Ms. Szpindor: "Well, I really think that that is up to you in Congress to make an evaluation of that.”

Click here to view Congressman Timmons's full questioning.

Watch the full hearing here.