DC health exchange breach traced back to misconfigured Amazon server

Members of the House Oversight Committee sought answers on Wednesday about a recent breach of Washington D.C.’s health insurance marketplace that exposed the sensitive information of Congressional representatives, staff and thousands of city residents.

During testimony, DC Health Link Executive Director Mila Kofman confirmed that investigators traced the breach back to a misconfigured Amazon cloud server, which was created in 2018.

On it were two documents holding the information of more than 56,000 current and past customers – including 17 members of the House of Representatives, 43 of their dependents, and 585 House staff members and their dependents. According to Kofman, it is still unclear when the server was exposed.

The leaked information held in Microsoft Excel spreadsheets included names, birth dates, Social Security numbers, addresses, citizenship status and more.

The breach was initially discovered on March 6, when Kofman was notified by her staff that a hacker had posted the information of 11 people on the now-defunct Breached Forums as a sample of the stolen data.

The FBI was notified immediately, and by March 7 two officers were working with cybersecurity firm Mandiant to investigate the breach. They were eventually able to trace the stolen data back to the two reports on the misconfigured server.

According to Kofman, the server was integrated with the company’s Slack platform. She did not know whether it was configured by employees or contractors.

“Let me be clear at the outset: the cause of this breach was human mistake. With respect to the ‘root cause’ – the problem here is related to the configurations on a server used for generating and storing automated jobs and weekly reports,” Kofman said.

“The server was misconfigured to allow access to the reports on the server without proper authentication. At no point was the DC Health Link enrollment system breached or exposed.”

Kofman confirmed that several affected individuals have filed lawsuits against DC Health Link.

The more than 56,000 people affected were offered three years of identity-theft and credit monitoring protection for all three major credit bureaus. They later offered everyone on the exchange the same despite not knowing whether their information had been involved in the breach.

But Kofman said that so far, fewer than 20% victims have used the protection services — a rate she was heavily criticized for. Kofman said they were working with businesses and other healthcare providers to make sure people knew they could get the identity protection but had already sent multiple emails.

Several members of Congress also criticized Mandiant for a seven-page report the company produced about the attack and sent out on Friday, noting that the Google-owned security firm declined to appear before the committee. Chairwoman Nancy Mace (R-SC) called the report “lame and uninformed.”

Mandiant told Recorded Future News that the company “had unavoidable scheduling conflicts and has offered to meet with the committee at another time."

“While we were hoping it would provide more clarity, we were left scratching our heads. We still do not know who is behind the attack. We still do not know if the data is for sale on other areas of the dark web,” said Rep. Barry Loudermilk (R-GA).

“We still do not know how much data the hacker accessed and we still do not know exactly how this was able to occur. However, the report largely blames Amazon Web Services when interestingly enough, Mandiant is a subsidiary of Google, one of AWS’ largest competitors.”

Catherine Szpindor, the chief administrative officer (CAO) for the House of Representatives, testified alongside Kofman and confirmed that vendors typically go through a rigorous cybersecurity verification process before they are approved. DC Health Link, however, is outside of their purview.

When asked whether the agency would pass their security review, Szpindor said no.

“The CAO lacks the authority and capacity to validate or mandate the security measures employed by other government entities it is required to interface with,” she said.

Kofman said in addition to the incident investigation conducted by Mandiant, another unnamed firm is conducting a wider review of DC Health Link’s systems.