Hundreds of members of congress affected by data breach

DC
Health
Link,
the
provider
of
health
insurance
for
those
in
the
United
States
(US)
Government,
has
suffered
a
data
breach
that
affects
over
50,000
people. 

The
breach,
which
took
place
on
March
6,
saw
an
unauthorized
party
gain
access
to
the
data
of
56,415
current
and
past
customers
of
DC
Health
Link,
including
585
staff
members
and
17
members
of
the
US
Congress. 

In
a
message
sent
to
employees
on
March
8,
the
US
House
of
Representatives
explained
that
the
data
breach
has
“potentially
expos[ed]
the
Personal
Identifiable
Information
(PII)
of
thousands
of
enrollees”.
 
After
the
breach
was
discovered,
DC
Health
Link
reported
it
to
the
FBI
and
Google-owned
cyber
security
firm
Madinat.
Following
this,
the
health
insurance
company
notified
six
other
federal
agencies
whose
employees
use
DC
Health
Link
for
their
health
insurance. 

Mila
Kofman,
executive
director
of
DC
Health
Link,
submitted
documents
ahead
of
her
testimony
before
the
House
Oversight
Committee
on
April
19,
revealing
that
the
data
breach
was
caused
by
a
misconfigured
cloud
server.

This
misconfiguration
was,
according
to
Kofman,
caused
by
human
error
rather
than
malicious
intentions,
and
once
discovered
was
shut
down
immediately
by
the
security
manager
at
DC
Health
Link. 

When
surveyed
by
Cyber
Security
Hub,

one
in
four
(25
percent)
of
cyber
security
professionals
said
that
their
companies
were
investing
in
cloud
security
capabilities.
As
more
companies
invest
in
and
migrate
to
the
cloud,
they
should
be
aware
of
the
risks
and
ensure
that
protections
are
put
in
place
to

prevent
attacks
and
breaches.

Matt
Kerr,
CEO
and
founder
of
appliance
repair
site
Appliance
Geeked,
notes
that
while
the
cloud-based
data
storage
can
be
equipped
with
cyber
security
measures
to

prevent
data
breaches,
if
a
company
hosts
a
large
amount
of
valuable
customer
data,
even
a
partial
breach
can
have
far-reaching
negative
effects.

This
is
because
a
company’s
cloud
storage
contains
“enormous
hoards
of
extraordinarily
valuable
data”,
even
if
an
attacker
only
gains
access
to
a
fraction
of
this
data,
they
can
do
real
damage
with
it. 

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts