Lawmakers demand accountability for DC Health Link breach

House lawmakers on Wednesday urged DC Health Link to explain how a human error led to a data breach that impacted hundreds of House members and their staff in early March.

Mila Kofman, executive director of DC Health Link, told lawmakers that her organization is still investigating how the breach happened and who was responsible for the cloud server misconfiguration that allowed the hackers​ to gain access to the data.

Her answer, though, did not satisfy Rep. Nancy Mace (R-S.C.), who chairs the Subcommittee on Cybersecurity, Information Technology, and Government Innovation.

“Because we don’t know who’s responsible for it yet, no one has been held accountable. No one has been fired or lost a contract as a result of the breach. Would that be accurate to say?” Mace asked Kofman.

Kofman answered that they are still conducting a full investigation but was quickly interrupted by Mace, who asked whether they had fired the employee responsible for the human error that caused the breach. “Will they be fired?” she asked.

Kofman once again dodged the question by saying that they are doing a full investigation of the breach.

Not satisfied with the response, Mace said, “That would be a ‘no’ or an ‘I don’t know’ which is an acceptable answer.”

DC Health Link is Washington, D.C.’s health insurance exchange and administers health care plans for members of Congress.

During the hearing, lawmakers said that the breach affected over 56,000 individuals, including 17 House members and 585 congressional aides.

Kofman was able to determine that the server was misconfigured in mid-2018 but couldn’t say how it happened and who’s responsible. 

In her opening statement, Kofman said that once her organization learned about the breach, they hired a cybersecurity firm and reached out to the FBI’s cyber security task force to help with the investigation.

Kofman said that based on the investigation, they believe that the misconfiguration was “not intentional but a human mistake.”

Kofman also told lawmakers that lawsuits have been filed by affected individuals against DC Health Link.

Rep. William Timmons (R-S.C.) asked Kofman how the organization was going to pay if it settled and if it has insurance to cover some of the expenses. 

Kofman responded that her organization has a cybersecurity insurance plan and a capital reserve that it would use if it had to.

“I just hope that your cybersecurity insurance is sufficient to cover whatever damages are deemed to have,” Timmons said. 

Kofman also apologized to the lawmakers, saying she understands how personal the data breach is to them.

“We’re going to have a lot of information on when the server was misconfigured, why it was misconfigured, why it wasn’t caught and all of the steps that led to this event,” Kofman said, referring to the ongoing investigation.

“And once we identify everyone who had any part of it, we’re going to have lots of information to act on and lessons to make sure it never ever happens again,” she added.