House Panel Demands Stronger Cybersecurity in Wake of Health Records Breach

WASHINGTON — A month after cyberthieves looted a local health insurance database making off with the sensitive personal records of members of Congress and thousands of others, a member of a congressional panel looking into the incident on Wednesday declared “that may not be the full extent of the breach.”

The target of the cyberattack last month was the health insurance marketplace DC Health Link.

Names, Social Security numbers, birth dates and addresses of at least 56,415 people were stolen, including from members of Congress.

It was Rep. Nancy Mace, R-S.C., who raised the spector of an even larger breach, and as the investigation continues, suspicions are growing that more than 170,000 people might have had their personal data stolen. 

The hacker then offered the information for sale on the dark web.

“We all want to know how those who are responsible are going to be held accountable,” said Mace, who chaired the joint committee that held the hearing.

Several proposals are pending in Congress, all of them anticipating greater government oversight of public and private computer systems.

Mace said the growing use of artificial intelligence that makes penetrating computer networks easier means a solution must be reached quickly.

DC Health Link was created as the health insurance marketplace for the District of Columbia by the Obama administration’s Patient Protection and Affordable Care Act. In addition to average residents of Washington, D.C., many members of Congress are enrolled in DC Health Link.

On March 6, 2023, DC Health Link detected the data breach.

Days later, the hacker — who used the name Denfur — posted some of the data on the website BreachForums. Later that day, he added a message saying the “intended target WAS U.S. Politicians and members of U.S. Government.” The message also said, “Glory to Russia!”

The FBI took down BreachForums from the internet on March 15 and arrested the operator. The agency has not yet identified the cyberthief.

The cybersecurity firm NETSCOUT last month reported a surge in cyberattacks aimed at the U.S. government for its support of Ukraine in its war with Russia.

The attacks contributed to a Biden administration cybersecurity strategy announced last month that seeks tighter regulation and greater cooperation between industry and government.

Much of it is directed at protecting critical infrastructure, such as dams, hospitals and municipal water facilities.

In DC Health Link’s case, a cybersecurity review showed human error left the system vulnerable to attack. Computer architects who configured the system as early as 2018 left an IP address exposed without the need for authentication.

In other words, anyone who knew the IP address could gain access to two critical reports on DC Health Link’s website that listed personal data of thousands of its customers. No password was needed.

“The cause of this breach was a server that was misconfigured,” said Mila Kofman, executive director of the D.C. Health Benefit Exchange Authority. She called it “a mistake” that already has been corrected.

Nevertheless, the damage was done, leading some lawmakers to lament over the potential for more cyberthreats.

“Data breaches are only going to grow,” said Rep. Gerry Connolly, D-Va.

You can reach us at [email protected] and follow us on Facebook and Twitter