D.C. Health Marketplace “human error” exposes PII of Congress on BreachForums and over 56,000+ customers, FBI & Mandiant investigating
Kyler Kent CISSP 
D.C. Health Link logo
(Image source: D.C. Health Link, 2021)
Update 4/18/2023: Additional information about the breach was updated, including the cause being a misconfiguration.
One-sentence summary:
D.C. Health Link, an ACA health marketplace for members of Congress, was breached in March 2023 due to “human error”, and the breached data of over 56,000+ customers was offered for sale onto the dark web.
Who was involved?
D.C. Health Marketplace/D.C. Health Link, D.C. Health Benefit Exchange Authority (DCHBX), 56,415 D.C. Health Link customers, members of Congress (including aides) and their families/dependents, Mandiant, FBI, and a BreachForums threat actor.
What was the timeline?
March 6, 2023: D.C. Health Link is allegedly breached by BreachForums members, and the data is posted up for sale on BreachForums. D.C. Health Link discovers the breach the same day.
March 7, 2023: Stolen data is purchased by the FBI (Kofman, 2023, p. 2; Nobles et al., 2023).
March 8, 2023: Mandiant discovers the cause of the breach and helps remediate it (Sabin, 2023). Congressional members are notified of the breach via email and D.C. Health Link makes its first public notification.
March 9, 2023: D.C. Health Link Executive Board procures 3 years of identity monitoring with all three credit bureaus for all D.C. Health Link members. Individualized notification begins.
What occurred?
D.C. Health Link was exploited by members of BreachForums due to a misconfiguration, and the data was posted for sale online by IntelBroker (Sabin, 2023; Gatlan, 2023, para. 9). The FBI purchased some of the data from IntelBroker as part of an investigation (Nobles et al., 2023, para. 15). Breached data included: “Subscriber ID,Member ID,Policy ID,Status,First Name,Last Name,SSN,DOB,Gender,Relationship,Benefit Type,Plan Name,HIOS ID,Plan Metal Level,Carrier Name,Premium Amount,Premium Total,Policy APTC,Policy Employer Contribution,Coverage Start,Coverage End,Employer Name,Employer DBA,Employer FEIN,Employer HBX ID,Home Address,Mailing Address,Work Email,Home Email,Phone Number,Broker,Race,Ethnicity,Citizen Status,Plan Year Start,Plan Year End,Plan Year Status” (Gatlan, 2023, para. 8).
Estimated costs:
Associated incident response costs including Mandiant, potential breach notification costs, identity and credit monitoring services: “3 years”… “protection for all three major credit bureaus for our affected customers” including dependents (and non-affected customers) (Kofman, 2023, p. 2).
Involved laws:
Regional: District’s Consumer Security Breach Notification Act, D.C. Code § 28–3851
Root cause:
Misconfiguration: publicly exposed cloud storage bucket (Sabin, 2023)
Lessons learned:
Doer/checker policy. Restricting public read access modification rights to delegated individuals. Continuous vulnerability scanning and assessment. SIEM/IT alerting for new public read access folders/files. Automatic rollback configurations (e.g., Lambda & Cloudwatch Event Rule).
D.C. Health Link’s Executive Director enumerated existing controls prior to the breach, including: “FortiNet & FortiGate, CloudFlare, Splunk, and Tenable Nessus” (Kofman, 2023, p. 4). Mila Kofman also claims that they average 2,000 malicious attacks in a day (and up to 560,000) (Kofman, 2023, p. 4). This illustrates the fact that organizations can have an array of enterprise-grade controls in action, but miss basic configuration principles and, thus, fall prey to cybercrime.
Sources:
Broadwater, L. (2023, March 11). D.C. and Congress Health Data Breach Affected More Than 56,000. The New York Times. https://www.nytimes.com/2023/03/10/us/politics/dc-hack-data-congress-health-marketplace.html
D.C. Health Link. (2021, May). dc-health-link-blog.jpg. DC Chamber of Commerce. https://dcchamber.org/wp-content/uploads/2021/05/dc-health-link-blog.jpg
Gatlan, S. (2023, March 10). FBI investigates data breach impacting U.S. House members and staff. BleepingComputer. Retrieved March 12, 2023, from https://www.bleepingcomputer.com/news/security/fbi-investigates-data-breach-impacting-us-house-members-and-staff/
Kofman, M. (2023). JOINT HEARING BEFORE THE UNITED STATES HOUSE OVERSIGHT AND ACCOUNTABILITY SUBCOMMITTEE ON CYBERSECURITY, INFORMATION TECHNOLOGY, AND GOVERNMENT INNOVATION AND HOUSE ADMINISTRATION SUBCOMMITTEE ON OVERSIGHT. In Committee on Oversight and Accountability. United States House of Representatives. Retrieved April 19, 2023, from https://oversight.house.gov/wp-content/uploads/2023/04/Mila-Kofman-Written-Testimony-April-19-2023.pdf
Nobles, R., V., F. T., Richards, Z., & Collier, K. (2023, March 9). FBI finds personal information of lawmakers and staff being sold on dark web. NBC News. Retrieved March 12, 2023, from https://www.nbcnews.com/politics/congress/data-breach-hits-lawmakers-staff-capitol-hill-rcna74061
Sabin, S. (2023, April 18). 17 House members, 585 aides affected in D.C. health insurance breach. Axios. https://www.axios.com/2023/04/18/dc-health-insurance-breach-data-hearing
