Recently, it was revealed that a simple human error caused a large data breach at D.C. Health Link.
What happened
A data breach occurred at D.C. Health Link, a health exchange company known to serve many D.C. residents and members of Congress. According to A.P. News, it was revealed that 56,415 current and past customers had information such as their date of birth, social security numbers, and contact information made vulnerable.
Once discovered, the event was immediately investigated by the FBI Cyber Security Task Force. The task force traced the security to a single computer that had been accidentally misconfigured, allowing access to sensitive information without proper authentication.
Once the computer was vulnerable, an unidentified hacker was able to steal two reports, one of which became available for sale on the dark web.
While the breach has been swiftly monitored, the event is still being investigated. Mila Kofman, Executive Direct of the District of Columbia Health Benefit Exchange Authority, and Catherine Szpindor expect to face questioning.
According to a local D.C. news publication, affected Congress members were notified on March 6, but the general public was only notified several days later, leaving many uncertain about their data protection status.
Go deeper: DC Health Link data breach exposes healthcare industry vulnerabilities
Why it matters
D.C. Health Link serves approximately 100,000 people in the D.C. area, allowing them to shop for private health insurance plans. The high status of some of the affected members has led to increased scrutiny of the cybersecurity practices of local health companies.
While human error is difficult to avoid, the D.C. Health Link event highlights the necessity of proper security training. While the computer the company was using may only have been vulnerable for a short time, it was long enough for sensitive data to be stolen and potentially shared.
Health companies and employees must be diligent when it comes to data protection. A recent report shows that many healthcare company employees believe privacy measures aren’t strictly enforced. Even more, say that they don’t know what to do in the event of a data breach.
Read More: New survey reveals gap in cybersecurity implementation
What was said
Kofman commended her agency for responding swiftly, saying, “We are not shying away from this breach. We have been and remain committed to being open and transparent.”
The House Oversight Committee’s subcommittee on cybersecurity, information technology, and government innovation will continue investigating the situation. The subcommittee chairs, Reps. In a press release, Nancy Mace and Barry Loudermilk stated, “The individuals who trusted the D.C. health exchange to keep their personal health data secure are rightly concerned about the potential consequences of this breach on their personal lives. They are relying on us to investigate how it took place, how it could have been avoided, how the fallout can be mitigated, and how to prevent a recurrence.”
Bottom line
The investigation will be ongoing to determine what steps may be taken to ensure an event like this breach is avoided in the future.
In the meantime, it’s recommended that health companies take the utmost precaution to avoid potential data breaches and ensure they can respond swiftly if a breach occurs.
Related: HIPAA Compliant Email: The Definitive Guide.
Abby Grifno
