[Joint House and Senate Hearing, 118 Congress]
[From the U.S. Government Publishing Office]







 
                     DATA BREACH AT THE D.C. HEALTH


                                EXCHANGE

=======================================================================

                             JOINT HEARING

                               BEFORE THE

               SUBCOMMITTEE ON CYBERSECURITY, INFORMATION
                 TECHNOLOGY, AND GOVERNMENT INNOVATION

                                 OF THE

               COMMITTEE ON OVERSIGHT AND ACCOUNTABILITY

                                AND THE

                       SUBCOMMITTEE ON OVERSIGHT

                                 OF THE

                   COMMITTEE ON HOUSE ADMINISTRATION

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED EIGHTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             APRIL 19, 2023

                               __________

                           Serial No. 118-23

                               __________

  Printed for the use of the Committee on Oversight and Accountability
  
  
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                       Available on: govinfo.gov
                         oversight.house.gov or
                             docs.house.gov
                             
                           ______

             U.S. GOVERNMENT PUBLISHING OFFICE 
 51-895 PDF         WASHINGTON : 2023 
 
                             
                             
                             
                             
                             
               COMMITTEE ON OVERSIGHT AND ACCOUNTABILITY

                    JAMES COMER, Kentucky, Chairman

Jim Jordan, Ohio                     Jamie Raskin, Maryland, Ranking 
Mike Turner, Ohio                        Minority Member
Paul Gosar, Arizona                  Eleanor Holmes Norton, District of 
Virginia Foxx, North Carolina            Columbia
Glenn Grothman, Wisconsin            Stephen F. Lynch, Massachusetts
Gary Palmer, Alabama                 Gerald E. Connolly, Virginia
Clay Higgins, Louisiana              Raja Krishnamoorthi, Illinois
Pete Sessions, Texas                 Ro Khanna, California
Andy Biggs, Arizona                  Kweisi Mfume, Maryland
Nancy Mace, South Carolina           Alexandria Ocasio-Cortez, New York
Jake LaTurner, Kansas                Katie Porter, California
Pat Fallon, Texas                    Cori Bush, Missouri
Byron Donalds, Florida               Shontel Brown, Ohio
Kelly Armstrong, North Dakota        Jimmy Gomez, California
Scott Perry, Pennsylvania            Melanie Stansbury, New Mexico
William Timmons, South Carolina      Robert Garcia, California
Tim Burchett, Tennessee              Maxwell Frost, Florida
Marjorie Taylor Greene, Georgia      Becca Balint, Vermont
Lisa McClain, Michigan               Summer Lee, Pennsylvania
Lauren Boebert, Colorado             Greg Casar, Texas
Russell Fry, South Carolina          Jasmine Crockett, Texas
Anna Paulina Luna, Florida           Dan Goldman, New York
Chuck Edwards, North Carolina        Jared Moskowitz, Florida
Nick Langworthy, New York
Eric Burlison, Missouri

                       Mark Marin, Staff Director
       Jessica Donlon, Deputy Staff Director and General Counsel
             Raj Bharwani, Senior Professional Staff Member
                 Lauren Lombardo, Senior Policy Analyst
                      Peter Warren, Senior Advisor
      Mallory Cogar, Deputy Director of Operations and Chief Clerk

                      Contact Number: 202-225-5074

                  Julie Tagen, Minority Staff Director
                      Contact Number: 202-225-5051
                                 ------                                

 Subcommittee on Cybersecurity, Information Technology, and Government 
                               Innovation

                 Nancy Mace, South Carolina, Chairwoman
William Timmons, South Carolina      Gerald E. Connolly, Virginia, 
Tim Burchett, Tennessee                  Ranking Minority Member
Marjorie Taylor Greene, Georgia      Ro Khanna, California
Anna Paulina Luna, Florida           Stephen F. Lynch, Massachusetts
Chuck Edwards, North Carolina        Kweisi Mfume, Maryland
Nick Langworthy, New York            Jimmy Gomez, California
Eric Burlison, Missouri              Jared Moskowitz, Florida
                   COMMITTEE ON HOUSE ADMINISTRATION

                    Bryan Steil, Wisconsin, Chairman

Barry Loudermilk, Georgia            Joseph Morelle, New York, Ranking 
H. Morgan Griffith, Virginia             Member
Greg Murphy, North Carolina          Terri Sewell, Alabama
Stephanie Bice, Oklahoma             Norma Torres, California
Mike Carey, Ohio                     Derek Kilmer, Washington
Anthony D'Esposito, New York
Laurel Lee, Florida

                      Tim Monahan, Staff Director
                      Contact Number: 202-225-8281

         Jamie Fleet, Minority Staff Director & Chief of Staff
                      Contact Number: 202-225-2061
                                 ------                                

                       Subcommittee On Oversight

                  Barry Loudermilk, Georgia, Chairman

H. Morgan Griffith, Virginia         Norma Torres, California, Ranking 
Greg Murphy, North Carolina              Member
Anthony D'Esposito, New York         Derek Kilmer, Washington

                         C  O  N  T  E  N  T  S

                              ----------                              
                                                                   Page

Hearing held on April 19, 2023...................................     1

                               Witnesses

                              ----------                              

Ms. Mila Kofman, Executive Director, DC Health Benefit Exchange 
  Authority
Oral Statement...................................................     7

Ms. Catherine Szpindor, Chief Administrative Officer, U.S. House 
  of Representatives
Oral Statement...................................................     8

Written opening statements and statements for the witnesses are 
  available on the U.S. House of Representatives Document 
  Repository at: docs.house.gov.

                           Index of Documents

                              ----------                              

  * Questions for the Record: to Ms. Szpindor; submitted by Rep. 
  Connolly.

  * Questions for the Record: to Ms. Kofman; submitted by Rep. 
  Connolly.

  * Questions for the Record: to Ms. Kofman; submitted by Rep. 
  Loudermilk.

  * Questions for the Record: to Ms. Kofman; submitted by Rep. 
  Torres.

Documents are available at: docs.house.gov.


                DATA BREACH AT THE D.C. HEALTH EXCHANGE

                              ----------                              


                       Wednesday, April 19, 2023

                   House of Representatives

               Committee on Oversight and Accountability

 Subcommittee on Cybersecurity, Information Technology, and Government 
                               Innovation

                           jointly, with the

                   Committee on House Administration

                       Subcommittee on Oversight

                                           Washington, D.C.

    The Subcommittees met, pursuant to notice, at 3:03 p.m., in 
room 2154 Rayburn House Office Building, Hon. Nancy Mace 
[Chairwoman of the Subcommittee on Cybersecurity, Information 
Technology, and Government Innovation] presiding.
    Present from the Committee on Oversight and Accountability 
[Subcommittee on Cybersecurity, Information Technology, and 
Government Innovation]: Representatives Mace, Timmons, 
Burchett, Edwards, and Connolly.
    Present from Committee on House Administration 
[Subcommittee on Oversight]: Representatives Loudermilk, Steil, 
Griffith, Torres, and Morelle.
    Also present: Representative Norton.
    Ms. Mace. All right, my partner in crime, the gentleman 
from Virginia, has arrived, so we are going to get started.
    Mr. Connolly. Now that we know what time we are supposed to 
start.
    Ms. Mace. Yes. Thank you, Mr. Connolly. So, the 
Subcommittee on Cybersecurity, Information Technology, and 
Government Innovation and the Subcommittee on Oversight will 
come to order.
    I would like to begin by welcoming Mr. Connolly--good 
afternoon, sir--as we tiptoe in, but also by welcoming House 
Administration Oversight Subcommittee Chairman, Barry 
Loudermilk, and Ranking Member Norma Torres. We also have with 
us Chairman Bryan Steil and Ranking Member Joe Morelle. We are 
pleased for you all to join us today. After conferring with 
Chairman Loudermilk, we agreed that today's joint hearing will 
operate under the rules of the Committee on Oversight and 
Accountability.
    Without objection, Congresswoman Eleanor Holmes Norton of 
Washington, DC. is waived on to the Subcommittee this afternoon 
for the purpose of questioning witnesses.
    Without objection, the Chair may declare a recess at any 
time.
    I now recognize myself for the purpose of making an opening 
statement.
    First of all, good afternoon and welcome. This is a joint 
hearing of this panel, the Subcommittee on Cybersecurity, 
Information Technology, Government Innovation in the House 
Oversight and Accountability Committee, and the House 
Administration Committee's Subcommittee on Oversight, which is 
chaired by the gentleman from Georgia to my left, Mr. 
Loudermilk. Since this is a joint hearing, we will all have 
opening statements from the Chair and Ranking Member of both 
Subcommittees. That is a total of four opening statements, so I 
am going to keep my remarks as brief as possible.
    First, I want to explain why we are conducting this hearing 
jointly. The data breach we are going to get to the bottom of 
today is of great concern to Members of Congress, staff, 
Federal employees, and all those who use the D.C. Health 
Exchange. The overwhelming majority, about 90 percent, of the 
Exchange enrollees are not affiliated with Congress. So this is 
not just about us, this is about everybody who has been 
affected by this breach.
    There are people who get health insurance through the 
Exchange as individuals or employees of one of over 5,000 
participating small businesses. This data breach is the latest 
in a troubling string of cyber breaches exposing confidential 
data of ordinary Americans. All too often these breaches 
involve government agencies or programs to whom people are 
entrusting their most personal information.
    We know the recent data breach at D.C. Health Benefit 
Exchange Authority resulted in the theft, sale, and public 
posting of confidential personal information of thousands of 
individuals getting health insurance via the Exchange, and that 
may not be the fullest extent of the breach. Indeed, the 
vulnerability through which the breach occurred may have 
actually exposed up to 200,000 or more individuals to hackers 
and exposed their personal information.
    Last month, several internal health insurance enrollment 
reports maintained by D.C. Health Link were accessed without 
authorization and then posted online. These Excel spreadsheets 
sold and posted on the dark web contain data including the 
personal information on each Exchange enrollee listed. That 
would be their name, their date of birth, their age, their 
Social Security Number, telephone numbers, their home 
addresses, mailing addresses, email addresses, their employer, 
their health plan, their health insurance premium, race, 
ethnicity, citizenship status, and more.
    The advent of AI is only going to make breaches like this 
even more vulnerable to personal data, and it will only get 
worse if businesses and government agencies are ill-prepared 
for what lies ahead. People should be able to sign up for 
healthcare without surrendering to public view their most 
confidential personal information. So, the Subcommittees are 
convening here today to find out, with the help of our 
witnesses, how this data breach happened, and I do expect to 
have some concrete, substantive answers because if we 
filibuster here today, none of us are going to be happy. This 
is too important to not get the information.
    We want to know who is responsible. We are going to want an 
answer for that. And we are going to want to know how those 
responsible are going to be held accountable. Do they even 
still have a job today? It would be one of my first questions. 
And what is being done to ensure that this does not ever happen 
again?
    And with that, I would like to yield to the Ranking Member 
of this Subcommittee, Mr. Connolly from Virginia.
    Mr. Connolly. Thank you so much, Madam Chairwoman, and 
thank you for convening this hearing, and very much enjoy 
collaborating with our colleagues today.
    In 2022, Federal Bureau of Investigation's Internet Crime 
Complaint Center received over 800,944 phishing, personal data 
breach, or other complaints, representing estimated losses of 
more than $10.2 billion, an increase of more than $3.3 billion 
from just the previous year. As we stated during our last 
Subcommittee hearing, data breaches, including government data 
breaches, are no longer unusual incidents.
    In 2015, an OPM data breach, for example, exposed the 
private information of nearly 22 million American individuals, 
including my own personal information. 2019, the Russian 
Foreign Intelligence Service compromised SolarWinds software, 
which is widely used across the Federal Government. And in 
2021, Microsoft reported that China's Ministry of State 
Security exploited vulnerabilities in their Exchange service.
    Today we are here to talk about the recent D.C. Health Link 
data breach, which affected 56,415 individuals, including 17 
Members of Congress, 43 of their family members, and 585 House 
staff members and 231 of their family members. Despite D.C. 
Health Link's robust cybersecurity practices, including the use 
of leading commercial cybersecurity solutions, next-generation 
firewall protections, and increased stress testing efforts, the 
organization remained vulnerable to attack.
    According to the investigative findings to date, an 
undetected human error caused this breach. It was not 
underlying IT technical issues, legacy IT systems, or even 
understaffing, a human error left the data base vulnerable to 
unauthorized access. A breach demonstrates that even 
organizations with sophisticated cybersecurity practices must 
remain vigilant to potential risks because one small oversight 
is the only window an opportunistic hacker needs to break in.
    The breach also demonstrates that bad actors may not only 
hide in the dark web. They may also, as in recent high-profile 
cases, use stolen data that landed easily on accessible public 
websites where the bad actor published the information to gain 
notoriety. Our cybersecurity posture must adapt to this new 
ecosystem. Fortunately, law enforcement has been working 
aggressively to dismantle key players in the cybercrime echo 
system, including those associated with this very breach we are 
considering today.
    On March 15, the FBI took down the website BreachForums, 
the online hub of illicit activity used to expose the D.C. 
Health Link data, and arrested its alleged founder. While I 
acknowledge the D.C. Health Benefit Exchange Authority's 
commitment to protecting the data of customers from another 
breach, the fact of the matter is that the information of more 
than 56,000 people has been compromised, putting their physical 
safety and financial security at some risk. These individuals 
join hundreds of millions of Americans who have had their data 
stolen in the past year alone, and data breaches are only going 
to grow in scope.
    We need to move swiftly to implement the national cyber 
strategy examined in this Subcommittee just last month, which 
will drive important changes to better-protect Americans' 
sensitive data. Throughout my career in the private sector, and 
local and Federal Governments, I have championed a trifecta 
cybersecurity strategy that encompasses modernizing IT systems, 
building a skilled Federal cybersecurity workforce, and, most 
importantly perhaps, fostering a security-centric culture at 
all levels of government.
    One of the primary ways Congress can enforce the trifecta 
is through consistent and sustained oversight of Agency 
compliance with the Federal Information Technology Acquisition 
Reform Act, which grew out of this Committee, FITARA. Through 
the scorecard we have and the hearings we have on that 
scorecard, and I very much appreciate Chairwoman Mace 
recommitting this Subcommittee holding those updated hearings, 
we have promoted effective IT modernization by empowering 
Agency CAOs and ensuring they have a seat and a voice in 
decision-making. We are proud of the scorecard that has secured 
big victories for the IT community by elevating CAOs within 
their agencies to ensure they are key players in fundamental 
conversations.
    In today's hearing, we need to hear a strategy from D.C. 
Health Benefit Exchange Authority to improve oversight and 
internal governance proceedings. They must continue to act 
urgently to address remaining cybersecurity concerns, provide 
resources to breach victims, and instill the safeguards needed 
to prevent future breaches.
    I agree with Chairwoman Mace. We want to hear answers 
today, not excuses, so that we can try to make sure that this 
sort of thing does not happen again, and that we protect the 
privacy of those who have had their data breached. With that I 
yield back. Thank you, Madam Chairwoman.
    Ms. Mace. Thank you. I now recognize Chairman Barry 
Loudermilk for the purpose of making an opening statement.
    Mr. Loudermilk. Well, thank you, Chair Mace, for partnering 
with our Subcommittee to hold this joint hearing, and for 
hosting us in your Committee room here today.
    On March 6, data was breached from the D.C. Health Exchange 
and posted on the dark web. As a result, the personal 
identifiable information of tens of thousands of people was 
exposed. This includes over 800 Members of Congress, their 
staff, and families who are required by law to use D.C. Health 
Link. The fact that such a breach was able to occur left our 
congressional community in shock.
    It is well-known that the U.S. Congress is a key target for 
cyberattacks, both foreign and domestic. That is why the Chief 
Administrative Officer has an Office of Cybersecurity that sets 
high standards for vendors and contractors hoping to do 
business with the House. These safeguards help protect Members, 
staff, and their families' data from thousands of cyberattacks 
that happen every month. Unfortunately, the D.C. Health Link is 
not subject to those same standards.
    Now, prior to serving in Congress, I spent 30 years in the 
information systems industry, both in the public and private 
sector, so I know just how vital it is to ensure that there are 
high standards and protocols in place when dealing with 
personal identifiable information.
    Our goal for today's hearing is two-fold. First, we must 
learn how this breach was able to happen and how we can 
minimize the harm to all individuals impacted. Second, we must 
discuss the improvements that those who support the House need 
to make to ensure that those impacted by this breach are never 
put in this position again. Also, I would like to discuss the 
preliminary findings from the forensic report produced by 
Mandiant, a well-known cybersecurity firm that was hired by the 
D.C. Health Exchange in the aftermath of the breach. That 7-
page report was shared with us on Friday, and while we are 
hoping it would provide more clarity, we were left scratching 
our heads.
    We still do not know who is behind the attack. We still do 
not know if the data is for sale on other areas of the dark 
web. We still do not know how much data the hacker accessed, 
and we still do not know exactly how this was able to occur. 
However, the report largely blames Amazon Web Services, when, 
interestingly enough, Mandiant is a subsidiary of Google, one 
of AWS' largest competitors. While we invited representatives 
from Mandiant to come and testify today and answer some of our 
questions, they declined. That is disappointing.
    This breach occurred at a time when threats to Members of 
Congress are still at historic highs. I know this firsthand. It 
is unacceptable that over a month later, we still do not have 
answers and continue to be left in the dark. I look forward to 
getting answers and learning what steps we can take to better-
protect this information. Thank you, and I yield back.
    Ms. Mace. Thank you. I would now like to recognize Ranking 
Member Norma Torres for the purpose of making her opening 
statement.
    Mrs. Torres. Thank you to the Chair, and I want to join my 
colleagues in welcoming Ms. Szpindor and Ms. Kofman. Thanks for 
coming before our Committee today.
    The recent data breach to the D.C. Health Benefit Exchange 
compromised the personally identifiable information, including 
the names, birth dates, and Social Security numbers of more 
than 56,000 individuals, jeopardizing their privacy and 
financial security. And as Members and congressional staff 
seeking employer-sponsored health insurance were required to 
enroll in the marketplace as created by the Affordable Care Act 
back in 2014, the affected universe of the data breach also 
included a significant number of individuals here on Capitol 
Hill. I understand those affected individuals include 17 
Members of Congress, 435 House staff, and more than 270 spouses 
and dependents.
    A significant breach like this one further demonstrates the 
importance of ensuring that all organizations have the 
necessary cybersecurity tools to combat cybercrime. Most 
recently, in my own home region of the Inland Empire, I learned 
about how hackers attacked a local 911 Center. This is a 
reminder that all systems are fragile and at risk of hacking 
threats. Today's hearing provides us with an opportunity to 
examine how the D.C. Health Benefit Exchange and other similar 
organizations can better-protect against potential 
cybersecurity risks and work to ensure that this will never 
happen again.
    Ms. Kofman, I was pleased to hear in your testimony that 
D.C. Health Link is undergoing a comprehensive security review 
and assessment of your entire system, and I look forward to 
hearing more about what you have learned so far. And I urge you 
to continue to work through any remaining cybersecurity 
vulnerabilities, including those susceptible to both malicious 
activity and simple human error.
    Ms. Szpindor, in the days after the breach, you clarified 
to Members in the Committee on House Administration the breach 
did not include any House systems, and stated that the portal 
used by the House to communicate with the D.C. Exchange was 
well-protected, and as you mentioned in your testimony, the 
House is often a target of cyberattacks. And I look forward to 
hearing more about how our administrative professionals at CAO 
continue to work to protect the House from cyber threats, 
ensuring that we have the necessary protections in place to 
avoid further breaches.
    Finally, I would like to thank the CAO, the Capitol Police, 
the House Sergeant at Arms, and the FBI for their work on this 
matter in the days and weeks after the data breach. And with 
that, I yield back to the Chair.
    Ms. Mace. Thank you. I am pleased to introduce our 
witnesses for today's hearing. Our first witness is Ms. Mila 
Kofman, the Executive Director of the D.C. Health Benefit 
Exchange Authority, or HBX, the D.C. Exchange. HBX is a public-
private partnership established to develop and operate the 
online health insurance marketplace called D.C. Health Link for 
residents and small businesses in the district. Our second 
witness is Ms. Catherine Szpindor, the Chief Administrative 
Officer of the U.S. House of Representatives. Ms. Szpindor is 
responsible for Member and staff services, including 
information technology and additional business functions. We 
welcome everyone and pleased to have you this afternoon.
    Pursuant to Committee Rule 9(g), the witnesses will please 
stand and raise your right hands.
    Do you solemnly swear or affirm that the testimony that you 
are about to give is the truth, the whole truth, and nothing 
but the truth, so help you God?
    [A chorus of ayes.]
    Ms. Mace. Let the record show that the witnesses all 
answered in the affirmative.
    We appreciate both of you being here today and look forward 
to your testimony. I would like to remind the witnesses that we 
have read your written testimony and it will be entered and 
will appear in full in the record. Please limit your oral 
arguments this afternoon to 5 minutes to give us time before 
votes today to ask our questions.
    As a reminder, please press the button on the microphone in 
front of you when you are speaking so that it is on, and 
Members can hear you. When you begin to speak, the light in 
front of you will turn green. After 4 minutes, the light will 
turn yellow. When the red light comes up, your 5 minutes has 
expired and we would ask that you please wrap up your 
statements.
    I recognize Ms. Kofman to please begin her opening 
statement.

                        STATEMENT OF MILA KOFMAN

                           EXECUTIVE DIRECTOR

                 D.C. HEALTH BENEFIT EXCHANGE AUTHORITY

    Ms. Kofman. Thank you. Good afternoon, and thank you for 
inviting me today. My name is Mila Kofman. I am the Executive 
Director of the D.C. Health Benefit Exchange Authority, and I 
want to say how sorry I am. I know this is personal for many of 
you, many of your colleagues and many staff members. We failed 
to prevent the theft of two reports which had sensitive 
personal information of our customers. I want you to know that 
we have not and will not fail in our response, and we are 
working hard to make sure this never happens again.
    I am here to discuss the D.C. Health Link data breach 
affecting 56,415 current and past customers, including Members 
of Congress, their families and staff. On March 6, 2023, we 
learned that a threat actor stole personal data from D.C. 
Health Link. While we do not have medical or healthcare 
information, we do have personal sensitive information. The two 
stolen reports had personal information like name, date of 
birth, and Social Security Numbers.
    On day one, March 6, we immediately asked the FBI 
Cybersecurity Task Force for help and had two special agents in 
our offices that afternoon. We also engaged a leading 
cybersecurity firm, Mandiant. On day two, law enforcement 
obtained and shared the two stolen reports with us. By day 
three of the breach, Mandiant identified the source of the 
breach, and my staff shut it down immediately. By day four, we 
secured 3 years of identity theft and credit monitoring 
protection for all three major credit bureaus for our affected 
customers and notified them on March 9 as soon as Experian 
provided us with a toll-free number and generated codes for our 
customers to use to sign up.
    Although there was no evidence that additional data was 
stolen outside of the two stolen reports, out of abundance of 
caution, we offered the same 3 years of identity theft and 
credit monitoring protection services to other customers. We 
provided public updates on March 8, 10, and 14, and also set up 
a dedicated web page on dchealthlink.com. We briefed three U.S. 
House Committees. We also briefed the D.C. business community 
and others we work with.
    On Friday, April 14, Mandiant completed its report. The 
cause of this breach is a server that was misconfigured which 
allowed access to the two stolen reports without proper 
authentication. The investigation shows the misconfiguration 
was not intentional. To be clear, it was a human mistake. At no 
point was the D.C. Health Link enrollment system breached. We 
have a strong cybersecurity program, which includes 
technologies used by U.S. intelligence agencies and Fortune 100 
companies, and have successfully repelled attacks on our 
network.
    In response to the breach, I immediately asked third-party 
cybersecurity experts to conduct a comprehensive review and 
assessment of our entire environment, including a sweep to 
ensure there was no other malicious activity within it, and a 
review of our cloud environment, our code, our configurations 
and our processes and procedures. We are now focused on a 
comprehensive review and making improvements. We are also 
actively investigating how the misconfiguration occurred. I can 
update you when we know more.
    I want to reiterate how deeply sorry we are that two 
reports were stolen with personal information. We are making 
every effort to ensure this does not happen again. Thank you 
for inviting me to speak today, and I look forward to answering 
your questions.
    Ms. Mace. Thank you. I now recognize Ms. Szpindor to begin 
her opening statement.

                   STATEMENT OF CATHERINE L. SZPINDOR

                      CHIEF ADMINISTRATIVE OFFICER

                     U.S. HOUSE OF REPRESENTATIVES

    Ms. Szpindor. Thank you, Chairwoman Mace, Chairman 
Loudermilk, and Ranking Members Torres and Connolly, and other 
Members of the House Oversight and Accountability Subcommittee 
on Cybersecurity Information Technology, and Government 
Innovation, and the Committee on House Administration 
Subcommittee on Oversight.
    The House's information-sharing relationship with D.C. 
Health Link dates to 2013 when Members and staff first enrolled 
in the D.C. Health Link healthcare programs for calendar year 
2014. The CAO's relationship with the D.C. Health Link is 
compulsory in nature and is limited to the secure exchange of 
information required to facilitate House participation in its 
healthcare programs as required by the Patient Protection and 
Affordable Care Act, effective January 1, 2014, and the 
subsequent Office of Personal Management rulings pertaining to 
the law's implementation.
    Each month, D.C. Health Link and the CAO follow established 
secure data transfer protocol to pay healthcare premiums, 
report terminations, and fix information discrepancies. All the 
Federal and state entities that the CAO shares Member and staff 
data with, including the D.C. Health Benefit Exchange 
Authority, are required to comply with Federal and state 
security requirements as well as their own. Once data is 
received by another entity, the CAO's jurisdiction ends. The 
CAO lacks the authority and capacity to validate or mandate the 
security measures employed by other government entities it is 
required to interface with.
    Upon learning about the D.C. Health Link breach late 
morning Tuesday, March 7, 2023, the CAO's cyber team confirmed 
none of the servers nor applications supported by the House has 
been compromised. The CAO worked with the House leadership 
between March 7 and March 10 to send a series of communications 
first to the potential universe of impacted individuals then to 
the confirmed universe of impacted individuals providing 
information on freezing their and their family's credit at the 
three major credit bureaus out of abundance of caution. They 
also received steps individuals should take to avoid becoming a 
victim of financial fraud. Notices were sent to impacted 
individuals no longer employed by the House, but whose 
information was confirmed to have been included in the breach. 
Additionally, the CAO participated in separate briefings for 
Members and staff and included important breach updates in 
payroll and benefits newsletters distributed House-wide.
    The CAO Payroll and Benefits team continues to field calls 
from the House community pertaining to the breach. Everyone in 
the House community, past and present, ever considered eligible 
for healthcare via D.C. Health Link is eligible for 3 years of 
free credit and identity monitoring services paid for by D.C. 
Health Link.
    This incident, like the 2015 OPM breach, is a sobering 
reminder of why cybersecurity is our top priority. Each year 
the CAO deploys over a quarter million software patches, 
protects more than 3,000 servers and stops tens of millions of 
attempted cyberattacks and billions of attempted probes. We 
have continuously improved our cybersecurity posture. With the 
support of House leadership, we address staffing deficiencies 
and significantly increased behind-the-scenes improvements and 
capabilities to include enhanced real-time network monitoring, 
better malware detection tools, and improved security controls 
over devices and applications.
    A strong cybersecurity posture requires consistent strict 
adherence to security practices and training by every member of 
the House community. The House is a target. We must remain 
vigilant and have the right policies and capabilities to ensure 
we protect House data and are prepared to quickly address 
security issues, should they arise.
    The CAO appreciates the opportunity to testify today, and 
we look forward to working with you and the other legislative 
branch partners as the D.C. Health Link investigation 
continues.
    Ms. Mace. Thank you. Thank you, both. I would now like to 
recognize myself for 5 minutes for questioning.
    You said, Ms. Kofman, earlier that the breach was due to a 
misconfigured server without proper authentication. So, is this 
sort of like an exposed IP address? Is this a password issue 
with authentication on the server? What actually happened?
    Ms. Kofman. What we know based on Mandiant's findings and 
investigation is that we had a misconfigured server.
    Ms. Mace. What does that mean?
    Ms. Kofman. If you had an IP address, you can access the 
server without proper authentication.
    Ms. Mace. So, it was an exposed IP address that----
    Ms. Kofman. If you had the IP address, you can access the 
information on the server.
    Ms. Mace. And how long was the server misconfigured? I 
guess how long was the IP address exposed?
    Ms. Kofman. So, we are still investigating. The initial 
configuration of the server, we know occurred mid-2018.
    Ms. Mace. So, the server IP address was exposed starting in 
2018?
    Ms. Kofman. The initial configuration of the server was 
mid-2018. Right now, we have external----
    Ms. Mace. Was that the same IP address for that server when 
this was exposed as in 2018? Is it the same? Was it the same IP 
address? Had it changed at all in that timeframe? From the time 
it was configured, to the time that the breach--did it have the 
same IP address that entire time?
    Ms. Kofman. I do not know if it had the same IP address. I 
will have to get back to you. But right now, we have external 
experts I have asked to investigate the actual 
misconfiguration, what happened, when it happened, why it 
happened, who was involved, how it happened. We have external 
investigators taking a look. Once I have more information----
    Ms. Mace. Is the individual or the team of individuals that 
set up the servers in 2018, and, well, we do not know when it 
was misconfigured. Are those individuals still employed or 
still a vendor of D.C. Health Link, the individuals or the team 
of people that set up the server?
    Ms. Kofman. So, that is why we are doing an external 
investigation to identify who was involved in setting up all of 
the configurations, all of the settings when that server was 
being integrated with Slack, and our suspicion is that it 
happened over time. And, so, our external investigators are 
looking into, starting 2018, what happened. And they are going 
to be looking at every year that that server was configured to 
identify.
    Ms. Mace. So, it is possible the exposure had happened over 
an extensive period of time since 2018, potentially?
    Ms. Kofman. Part of that time that server was down. So, we 
are in fact-finding mission right now, and I----
    Ms. Mace. How long was the server down during that 
timeframe?
    Ms. Kofman. I do not know. Meaning offline? So, our----
    Ms. Mace. How do you not know when the server was down? 
That seems like if you knew it was down, you would know the 
timeframe it was down.
    Ms. Kofman. That is why we have external investigators 
taking a look to see when it was actually online, when it was 
offline, so we can document everything and identify who was 
involved, how it was configured.
    Ms. Mace. Was it an employee or was it a contractor?
    Ms. Kofman. We have employees and we have contractors, and 
so that is part of our ongoing investigation being conducted by 
external experts. And I am happy to provide you with all of 
that information when we have it.
    Ms. Mace. So, given that we do not know the timeframe, and 
the server was set up in 2018, is it possible that more than 
56,000 people were exposed, like hundreds of thousands of 
people's data was exposed? Is that a possibility?
    Ms. Kofman. So, what we know is 56,415 people, their 
information was stolen. We know that for a fact. We know that 
another set of consumers, current and past customers, their 
information was stored in the same manner that the stolen 
reports were stored. We have no evidence that their information 
was stolen.
    Ms. Mace. So, on this server were there are only two 
reports? Or the two reports that were exposed were the only 
ones you are aware of? Or was there more than two reports on 
the server?
    Ms. Kofman. The server had multiple reports, and the server 
had other automation jobs. Some of the reports we know did not 
have any personal information. Other reports had personal 
information, and that is why----
    Ms. Mace. Up to how many people could potentially have been 
exposed in from this breach?
    Ms. Kofman. We are investigating that, but that is why we 
notified pretty much everyone.
    Ms. Mace. I mean, but certainly you know by the number of 
reports on that server, the reports that have personal data and 
do not, certainly you know the number of records or number of 
people that were exposed to the breach?
    Ms. Kofman. The issue is some reports existed for a week, 
and then were replaced by the report, so they were eliminated. 
We are trying to identify every potential person whose data may 
have been on the server, and that is why we notified a lot of 
people whose----
    Ms. Mace. Yes. No, I get that, and I am not going to 
complain about the way that people were notified. I think that 
was done well. I would tell you it was done quickly, it was 
done well and, from a crisis standpoint, the response was 
excellent.
    Ms. Kofman. Thank you.
    Ms. Mace. I am more concerned about the access to the IP 
address, the exposed IP address and the data that was on that 
server. Just as a company policy within the D.C. Health 
Exchange, are employees required to use a ``strong password'' 
when they are creating, you know, authentication within the 
programs that that you all use?
    Ms. Kofman. Yes. We encourage the use of strong passwords 
for----
    Ms. Mace. Is it required or is it just encouraged?
    Ms. Kofman. We follow D.C. government standards for our 
passwords.
    Ms. Mace. Do you all require as a matter of company policy 
two-factor authentication for company passwords that are used 
by employees or contractors?
    Ms. Kofman. I will have to get back to you on what 
contractors are required to do.
    Ms. Mace. What about employees? Are they required to use 
two-factor authentication for their passwords for anything that 
they are accessing within the organization?
    Ms. Kofman. Yes, it might be helpful to give you----
    Ms. Mace. Are they required to use two-factor 
authentication? ``Yes'' or ``no.''
    Ms. Kofman. Multi-factor authentication is required to 
access your systems, like your cellphone, your email if----
    Ms. Mace. How long has that been going on?
    Ms. Kofman. The multi-factor authentication requirements? I 
will double-check. I think for a number of years now.
    Ms. Mace. OK.
    Ms. Kofman. And before you had to have codes to get in, but 
I will double-check that.
    Ms. Mace. So, because we do not know who is responsible for 
it yet. No one has been held accountable. No one has been fired 
or lost a contract as a result of the breach. Would that be 
accurate to say?
    Ms. Kofman. We are doing a full investigation----
    Ms. Mace. Are you going to fire the contractor or the 
employee that created this breach issue? Will they be fired?
    Ms. Kofman. We are doing a full investigation.
    Ms. Mace. That would be a ``no'' or ``I don't know,'' which 
is not an acceptable answer. I have one question for Ms. 
Szpindor. Unlike the House vendors, your office has no choice 
with regard to working with D.C. Health Exchange. Given what 
you know now about this breach and potential, I mean, this was 
an IP address totally exposed out there for God knows how long. 
What do you know about this breach? Does the D.C. Health 
Exchange meet the cybersecurity requirements of the House and 
its vendors? In other words, would the Exchange pass muster as 
a House vendor because we know that the CAO holds our vendors 
to a very, very high standard in terms of the applications we 
are allowed to use?
    Ms. Szpindor. At the time we had our agreement with them 
put into place, the various agreements that we do have with 
them, it is hard to know if they would pass the evaluation 
since we really did not have an opportunity to do so. 
Certainly, if we were doing an evaluation now----
    Ms. Mace. Would they pass muster today?
    Ms. Szpindor. We would certainly have some questions, yes. 
We would have to reevaluate and probably ask some very hard 
questions on what had happened.
    Ms. Mace. OK. Thank you, and I am going to yield to Mr. 
Connolly, 5 minutes.
    Mr. Connolly. Thank you, Madam Chairwoman. Ms. Kofman, how 
did you learn that customer data had been exposed on the 
publicly available website BreachForums?
    Ms. Kofman. We work very closely with the city's technology 
agency, and one of their vendors identified the problem. The 
technology agency came to us on Monday around 12, and within 15 
minutes, we confirmed that 11 of our customers' information was 
posted in this solicitation.
    Mr. Connolly. So, they brought it to you?
    Ms. Kofman. The city technology agency we work with, 
correct, and then we immediately notified law enforcement, the 
FBI Cybersecurity Task Force, and asked them for assistance.
    Mr. Connolly. As I understand, the D.C. Capitol Police 
identified another website, Pastehub.net, where the hacker 
posted a sample of the purloin data. To your knowledge, did the 
stolen data appear on other publicly available websites, in 
addition to those two: BreachForums and Pastehub?
    Ms. Kofman. Not to my knowledge, but that is also a 
question I am happy to follow up with law enforcement as well 
as the external experts we have.
    Mr. Connolly. During the early days of the data breach 
investigation, I guess by Mandiant, what steps did your office 
take to inform the appropriate entities of the breach to ensure 
that other potential targets received alerts as quickly as 
possible?
    Ms. Kofman. We and the city technology agency immediately 
notified the U.S. Cybersecurity Infrastructure Security Agency, 
U.S. Homeland Security and Emergency Management Agency, we 
notified CMS, our oversight agency within the hour of learning 
of the breach. And we also, the next day, once we had 
confirmation that congressional information was in the stolen 
reports, we notified the House and Senate personnel offices, as 
well as OPM and others.
    We took immediate steps for mitigation. And, well, we did 
two things. Mandiant within 2 days was able to identify the 
source of the breach, and we shut it down immediately. That was 
within 2 days of the breach. And within 3 days of the breach, 
we were able to secure identity theft and credit monitoring 
protection for 3 years for all three major credit bureaus. And 
that Thursday, March 9th, we notified 56,415 people whose 
information was stolen. And then that Friday, March 10th, we 
started to notify other people whose information was stored in 
the same manner that these stolen reports were stored in out of 
abundance of caution.
    Mr. Connolly. Were the people in that 56,000 population, 
they were told directly your data has been breached?
    Ms. Kofman. Yes.
    Mr. Connolly. OK, because some of us got a generic 
notification that there had been this breach, but it was not 
clear that you personally were part of that. So, if you were 
not told directly, you were not affected?
    Ms. Kofman. Correct. We wanted to notify others, and that 
is why you got a general notification saying the protection we 
have secured is available to you, your information was not 
breached, but we wanted to give you the same protection as we--
--
    Mr. Connolly. Right. Responsible, yes. Thank you. Ms. 
Szpindor, what is the relationship between your office and Ms. 
Kofman's? I mean, as you point out in your testimony, we are 
the only group that I know of required by law to go to the 
Exchange, and that Exchange is our local D.C. Exchange, and our 
staff, except Committee staff who have exempted themselves. So, 
what is your relationship with this office, and what is your 
view about their special relationship given the fact that we 
are a high target? We are kind of in the high-risk category. 
What is your response? What is their responsibility? What is 
your responsibility to be, you know, a careful guardian of 
pretty sensitive information about thousands of Capitol Hill 
employees?
    Ms. Szpindor. Well, I have not talked to Mila frequently, 
but we certainly worked together when we were first setting up 
the Exchange, translations that we have to do in order to get 
them the data that they need. But primarily, we do not stay in 
close contact with each other because we have had the systems 
operating and functioning fairly well from our perspective, 
until this has happened over the past years.
    But basically, what they do is we have access to a 
different type of system than the report system that they are 
talking about, their main healthcare system, where our Payroll 
and Benefits employees will initially enter into their system 
through the web interface that they have, the names of the 
individuals who are eligible to enroll in the D.C. Health Link 
data Exchange or D.C. Health Link Exchange. So, we have our 
staff that interfaces that to provide them names of 
individuals.
    We also have, once someone decides they want to be or are 
going to be on the Exchange, our payroll and benefits system 
works with them to enter the information that they are going to 
be on the Exchange. And I think everything else then is carried 
forward by D.C. Health Link as far as reaching out to the 
employee, entering all their detail, their personal 
information, and the healthcare plan that they are selecting.
    Other than that, during the month, we have an interface 
between the CAO's technology group and their group whereby we 
send them any discrepancies that might have to be changed in 
their system and any other small issues that might come up, 
things that have to be corrected. That is sent through, what we 
have is a gateway server, which is just a very secure server 
where it is almost like, you open up the traffic so that the 
data that we want to send goes in. We know when they want to 
accept the data, we open it up just for them to be able to pull 
that data from the gateway server, then that connection is 
closed. So that is pretty much on a routine basis what we do.
    Mr. Connolly. OK. Thank you. My time has expired.
    Ms. Mace. All right. I would now like to recognize Chairman 
Loudermilk for his 5 minutes.
    Mr. Loudermilk. Thank you, Madam Chair. Thank you both for 
being here today. I must admit that being 30 years in the IT 
industry, I worked a lot to secure networks and worked for my 
customers to hack into their networks, and I have become more 
confused sitting in here today as to what happened. I thought 
it would be clarifying.
    First of all, let me say, the majority of data leaks or 
cyber breaches are as the result of some form of human error. 
That is just known in the industry. When we work with 
companies, and I still will consult occasionally, without fee, 
to people who ask, especially when it comes to setting up a 
security policy, your first thing you do is understand the 
majority of your data breaches are going to come from some form 
of human error. In 2017, Equifax had one of the largest data 
breaches in our country's history. It was because of a human 
error, just because someone failed to apply a patch to a system 
that was critical for their cybersecurity. So, when I hear that 
it was a mistake, human error, tells me that there are other 
policies that were not in place to protect against these human 
errors, two-person integrity, double-checking what people are 
doing.
    The other thing is an exposed IP address on itself does not 
create an exploitable server, many servers have through some 
form of firewall, gateway, IP masking, there is access to those 
servers that is needed. There had to be some other 
vulnerability that was exploited on that server.
    So, before I get to my other questions, Ms. Kofman, I would 
like your commitment that you will provide this Committee the 
full Mandiant report as soon as it is received by D.C. Exchange 
because either they have either summarized at a very elementary 
level what happened, or we just need to know exactly. Will you 
provide that report to this Committee?
    Ms. Kofman. You have Mandiant's incident report. In 
addition to that, what I am committing to doing is providing 
additional reports and information we gleaned from external, 
independent cybersecurity experts that I have asked to look at 
our entire system. To your point of processes, policies, 
looking at the entire AWS environment that we are in, looking 
at our firewalls, our code, our configurations. I am committing 
to providing you with updates on what we learned from external 
experts we have hired and all the steps that we are taking to 
make sure this never happens again.
    And we have tried, and I hope you recognize this, to be as 
transparent as possible and provide you with information as we 
have facts. I, myself, briefed six different congressional 
committees to date. We have met with----
    Mr. Loudermilk. I do not mean to cut you off, but I am 
limited on time and I do have to get other things. We 
appreciate your transparency with us. We do not appreciate the 
transparency with the hackers, OK? Just from what I have heard 
in here today, I mean, every system is subjected to a hacker. 
When I ran a business, it was always the question was not if my 
customer is going to be hacked, but when, and you always had to 
stay a step ahead of the bad guy. It is vigilance. It is 
continual vigilance. That is the only way that you can secure 
against this. From just what I have seen so far, that this was 
made extremely easy for somebody to get in, but let me let me 
get to my questions at this point.
    I want to start with Ms. Szpindor. Can you briefly describe 
for us the level of assessment a vendor must undergo prior to 
providing an essential service to the House that requires 
access to Member and staff data? Because a lot of times it is 
not just people inside the organization, but it is their 
vendors. What level of assessment must they go through?
    Ms. Szpindor. We have a fairly rigorous process we put our 
vendors through. I can highlight some of the steps that we go 
through. We require an authorization to operate or ATO. That is 
managed primarily by our cybersecurity team with the help of 
the other groups that are in our technology organization. This 
is for contract-owned systems, systems hosted outside of the 
House infrastructure, enterprise cloud systems and third-party 
service providers and solutions or applications hosted on House 
infrastructure. There are two critical requirements.
    The ATO process is to ensure that the vendor's 
implementation of security and privacy controls are there to 
protect the House information and is validated and monitored 
throughout the system lifecycle. The ATO process requires 
vendor-supported information systems to undergo an independent 
assessment to test and validate the implementation of security 
controls to protect the confidentiality, integrity, 
availability, and privacy of House information. A condition of 
the ATO approval is that the vendor system be enrolled in a 
continuous monitoring program to continuously assess and 
validate successful implementation and effectiveness of 
required security controls.
    Mr. Loudermilk. Now, it sounds like it is not only do you 
give the access, but you are continuing to monitor their 
access.
    Ms. Szpindor. We are.
    Mr. Loudermilk. OK.
    Ms. Szpindor. And if there were anything that would come up 
similar, some of the things that were brought up about VMware, 
SolarWinds, things of that sort, we knew a vendor might be 
using that product, we would immediately contact them and 
initiate some type of requested assessment.
    Mr. Loudermilk. OK. Thank you very much. Ms. Kofman, same 
question. Briefly describe for us your level of assessment a 
vendor must go through prior to providing service to the D.C. 
Health Exchange?
    Ms. Kofman. Thank you. So for our vendors, we require that 
for their employees, that there is no civil or criminal 
activity related to--and I will just read you a portion 
relevant to this--``fraud, theft, embezzlement, breach of 
fiduciary responsibility or other financial misconduct in 
connection with the delivery of healthcare item, a service or 
with respect to any act or omission in any program operated by 
or financed in whole or in part by any Federal, state, or local 
government agency.'' So, our vendors are required to do due 
diligence on employees that they hire. For our own employees, 
we follow D.C. government standards, which include criminal 
background checks for security sensitive positions, which means 
fingerprinting, FBI fingerprinting, and criminal background.
    Mr. Loudermilk. So, what I am hearing is you do a formal 
background check on your vendors and your employees. What I did 
not hear is the ongoing analysis of your vendors and their 
access to the systems and evaluating their systems as well.
    Ms. Kofman. I just want to clarify, we do the background 
checks, working with another D.C. agency, for our employees. We 
require our vendors to be responsible for doing the checks on 
their employees. Otherwise, they are in breach of their 
contract with us.
    Mr. Loudermilk. OK. I understand. I have gone way over my 
time. I yield back.
    Ms. Mace. We all have, but appreciate your comments, Mr. 
Loudermilk, about the IP addresses--because it is exposed does 
not mean that the reports are right there, and if so, there is 
something obviously more going on here, and we are not getting 
the answers today on that ``misconfigured'' server.
    I would now like to recognize Congresswoman Torres for her 
5 minutes.
    Mrs. Torres. Ms. Szpindor, of the 56,000 individuals 
exposed outside of the Members of Congress and the staff, I 
think us working on this campus are very knowledgeable and have 
access to a lot of resources to protect our information. I am 
very concerned about the people outside of this campus. Can you 
tell me how did you notify them? Let us start with that.
    Ms. Szpindor. And I want to be clear I understand, for 
those individuals whose data was exposed, but maybe they had 
been a House employee----
    Mrs. Torres. Had not been a House employee.
    Ms. Szpindor. Had not been a House employee.
    Mrs. Torres. Just your average citizen that buys their----
    Ms. Szpindor. Well, I understand, we did not notify those 
individuals. That was up to D.C. Health Link to notify those 
individuals that were not House employees.
    Mrs. Torres. OK. Can you answer that question, Ms. Kofman?
    Ms. Kofman. Yes. So, we did it through a variety of 
mechanisms. One, within 3 days of the breach, we secured 
identity theft and credit monitoring protection through 
Experian for 3 years.
    Mrs. Torres. No, no, I understand that. How did you notify 
the people working outside of this building?
    Ms. Kofman. Yes, we notified everyone.
    Mrs. Torres. How, email? Phone? Multiple languages? Only in 
English? Explain that to me.
    Ms. Kofman. We put a notice in their D.C. Health Link 
account and triggered an email alerting them to review their 
notice that it is urgent. The notice had, in addition to 
English, had a bunch of other taglines associated with it. It 
was very clear saying their information was breached. We 
identified specifically which of their information was 
breached, and I will just tell you the take-up rate for 
Experian protection is now 19.1 percent. And I think that 
also----
    Mrs. Torres. That is still a very low number. Nineteen-
point-one percent of the people that you notified have 
utilized, taken advantage of the resources that you are 
providing, is that correct?
    Ms. Kofman. So, the average Experian reports is 5 percent 
to 10 percent. Another major Credit Bureau reports about 4 
percent take up rate. So, I agree with you, it should be 100 
percent, but it is higher.
    Mrs. Torres. Yes. I am just trying to get to how do we work 
together to ensure that we protect the people outside of this 
building. Those are the people that need our help the most. 
Those are most vulnerable, the day-to-day American who goes to 
work every day, who does not understand about the security 
issues, you know, that we face here in this building every day. 
What more can you do on that note to help those people?
    Ms. Kofman. So, in addition to issuing three public 
updates, we briefed the three largest D.C. chambers asking them 
for help to notify their members. Many of their members are our 
customers, so D.C. Chamber of Commerce, the Greater Washington 
Hispanic Chamber of Commerce, and the Restaurant Association 
Metropolitan Washington. In addition to that briefing, we asked 
our brokers, we emailed our brokers, and we did two briefings 
for our brokers. Ninety-two percent of our employers have a 
broker, and we asked our brokers to notify their clients about 
this breach and asked for their help.
    Mrs. Torres. Did they do that, to your knowledge?
    Ms. Kofman. I think some did.
    Mrs. Torres. OK. Can you follow up on that and let us know 
if that was done, and if not, I hope that you would, you know, 
go back to them and ensure that that gets done. My other 
question is, the server configuration concern, who provided the 
guidance for the person who configured that server? Did the 
people providing guidance on how that server needed to be 
configured, did they have a background in cybersecurity? Do we 
know that?
    Ms. Kofman. So, everyone who works on our system has IT 
skill set, and then we have folks who look at the security 
aspect of the code and what they are doing.
    Mrs. Torres. And how often do they get training on security 
breaches and how to protect the system?
    Ms. Kofman. The cybersecurity training for our staff and 
that our vendor has is just ongoing. There are formal things 
that they also must do, but it is ongoing. And if I can just 
add, I hired an external cybersecurity expert to investigate 
what happened with this human mistake. And we are going to have 
a lot of information on when the server was misconfigured, why 
it was misconfigured, why it was not caught, and all of the 
steps that led to this event. And once we identify everyone who 
had any part of it, we are going to have lots of information to 
act on and lessons to make sure it never, ever happens again.
    Mrs. Torres. Thank you, and I yield back.
    Ms. Mace. And hopefully that means they get fired. I am 
going to recognize Congressman Timmons for his 5 minutes. And 
then the witnesses asked for a break, and we will do that after 
Mr. Timmons questions for 5 minutes. We will do a quick 5-
minute break, OK? All right, Mr. Timmons?
    Mr. Timmons. Thank you, Madam Chairwoman. We have a problem 
in this country both with cybersecurity and privacy. It is not 
just the government. It is the private sector. We have not 
taken the steps necessary to protect the data that we either 
voluntarily give to private companies or involuntarily give to 
the government.
    When a private company has a data breach, people file 
lawsuits. They have to do a settlement. There are fines. The 
largest settlement is $1.2 billion, $877 million, Equifax $575 
million. So, that is how we hold them accountable. We hold them 
accountable by fining them, and the purpose of that is to get 
other businesses to take better care of their data and to 
protect their customers more.
    We just found out a couple hours ago that the CFPB, which 
we do not voluntarily give our data to them, they take it, they 
acknowledged that they had a data breach. A quarter million 
individuals' files were sent in an email, and so the people 
that fine businesses--I mean the Equifax settlement was with 
the FTC and the CFPB. So, what are we going to do to them? And 
I guess that is one thing I want to talk about, but the other 
thing is this: your business is a public-private partnership. 
What is your ownership structure? Ms. Kofman?
    Ms. Kofman. Yes. We were set up by D.C. Government as a 
private public partnership. What that means is we have a 
private executive board that oversees our policies and sets 
direction.
    Mr. Timmons. I mean, if it is a public-private partnership, 
there is a private in there. So, is it a for-profit? Is it not-
for-profit? Who owns it?
    Ms. Kofman. It is an instrumentality of D.C. government, so 
it is quasi-government. I am sorry.
    Mr. Timmons. So, it is quasi-governmental. Do you have 
statutory immunity? Could somebody sue you for this? Can you 
get a fine for this? What is going to happen? I mean, I am sure 
you have talked to your lawyers. What is going to happen, other 
than you have to come before Oversight and maybe have some 
changes to your contracts? What is going to happen? What do you 
think is going to happen?
    Ms. Kofman. There have been lawsuits that have been filed.
    Mr. Timmons. OK. By individuals or by the FTC, or who is 
coming after? Who is pursuing this?
    Ms. Kofman. Affected individuals.
    Mr. Timmons. OK. I imagine that it will be ongoing for a 
while. If you do get a fine and/or settle, how do you pay for 
that? Do you have insurance?
    Ms. Kofman. We are required by Federal law to be self-
sustaining and financially solvent. We have a capital reserve 
that we will be using if we have to.
    Mr. Timmons. So, if you have to pay tens of millions of 
dollars to settle a lawsuit, you are going to then turn it 
around and charge your customers more? How are you going to do 
that? Is that the plan? Is that what would happen?
    Ms. Kofman. You also asked whether there is cybersecurity 
insurance policy in place. There is one.
    Mr. Timmons. What are the limits?
    Ms. Kofman. I do not know.
    Mr. Timmons. OK. Well, I mean, I do not think many people 
have an option other than to use your services. I am pretty 
sure that I have to. I mean, Members of Congress are on that 
Exchange and we are statutorily required. That was a great idea 
that Congress did during Obamacare. But, you know, we got to 
have accountability. And we have accountability with Equifax 
and Amazon when they have these breaches. They pay huge sums of 
money, and I guess I just hope that your cybersecurity 
insurance is sufficient to cover whatever damages are deemed to 
have. I guess, Ms. Szpindor, do you think that we should 
reevaluate whether Members of Congress and your employees 
should be forced to use the health exchange?
    Ms. Szpindor. Well, I really think that that is up to you 
in Congress to make an evaluation of that. We were compelled to 
do so.
    Mr. Timmons. By the law?
    Ms. Szpindor. By the law and through OPM, who said we would 
use the D.C. Health Exchange to facilitate the Members and any 
of their staff from joining, but I think that that is 
definitely something that is up to the Members.
    Mr. Timmons. OK. I appreciate that answer. Thank you, and, 
Mr. Chairman, I yield back.
    Ms. Szpindor. Thank you.
    Ms. Mace. Thank you. And we are going to just let you take 
a 5-minute break and we will be here when you are done. All 
right.
    [Recess.]
    Ms. Mace. All right. Now that we are back in order, I would 
like to recognize our esteemed colleague, Ms. Norton, for her 5 
minutes.
    Ms. Norton. I thank the Chair, and I thank her for this 
hearing. I also would like to thank our D.C. witnesses for 
being here this day, today. To begin, I would like to note that 
while this data breach is deeply concerning, it is not unique 
to D.C. Director Kofman, do you agree this breach is not unique 
to the District of Columbia?
    Ms. Kofman. Yes.
    Ms. Norton. That, of course, is correct. The private sector 
and Federal, state, and local governments across the country, 
including governments and all the states represented by all the 
Republicans on both Subcommittees here today, have experienced 
data breaches. For example, Kentucky's health insurance program 
for government employees and retirees suffered two data 
breaches in 2020.
    As we have discussed, the breach of D.C. Health Link 
allowed the theft of sensitive personal data, jeopardizing the 
physical safety and financial security of more than 50,000 
people. It also put the data of almost 200,000 additional 
people at risk of theft. Many of the victims are D.C. 
residents, families, small businesses, and nonprofits that I 
represent. Ms. Kofman, you mentioned that the D.C. Health 
Benefit Exchange Authority is offering 3 years of free credit 
monitoring to all customers whose data was at risk. How do 
these resources or resource offerings compare to what other 
breached organizations offer victims?
    Ms. Kofman. Yes. We believe that the 3-years of identity 
theft monitoring and credit monitoring for all three major 
credit bureaus for 3 years exceeds what typically happens. 
Typically, you may get one or 2 years, or you may just get 
monitoring for one major credit bureau. We wanted to go as 
broad as possible and beyond people whose information was not 
stolen. We have made this protection available to everyone, 
past and current customers.
    Ms. Norton. Well, Ms. Kofman, once you discovered the 
breach, how quickly were these resources offered?
    Ms. Kofman. We discovered the breach on March 6. We were 
able to secure Experian credit monitoring and identity theft 
monitoring by March 9, and that is when we notified the 
customers whose information was stolen. And then on March 10, 
so this is just a matter of days after discovering the breach, 
on March 10, we started to notify other customers whose 
information was stored in the same manner as the two stolen 
reports, but we had no evidence that it was actually stolen.
    Ms. Norton. I understand that the acceptance rate for 
credit monitoring and other services you offered were higher 
than the industry average. Mr. Kofman, have you considered 
taking any additional actions to support victims of a data 
breach?
    Ms. Kofman. Yes. We continue to work with all of our D.C. 
Health Link assisters and the three largest chambers and 
certainly our brokers. We have asked them for help to notify 
their clients. I also just want to say how appreciative I am of 
the House CAO and her deputy in the outreach that they did 
through their mechanisms to Members of Congress and affected 
staff.
    Ms. Norton. Well, Ms. Kofman, did D.C. Health Link inform 
affected customers of the breach and of the credit monitoring 
resources by our message loaded into the D.C. Health Link 
account inboxes. Isn't that correct?
    Ms. Kofman. We loaded the breach notice into D.C. Health 
Link account and that also triggered an email to let the person 
know to check their account.
    Ms. Norton. This message generated a generic email to email 
addresses on file, notifying them to check their D.C. Health 
Link account box. Is that correct?
    Ms. Kofman. Yes.
    Ms. Norton. Did the email contain any mention that the 
breach had occurred or give any indication that their personal 
data had been compromised?
    Ms. Kofman. The email itself did not have that kind of 
information. It was marked ``urgent'' for them to check their 
D.C. Health Link account for an important notice.
    Ms. Norton. I see. Impacted individuals would therefore 
need to take the time to log into their D.C. Health Link 
accounts to even know about the breach and the free credit 
offering, isn't that correct?
    Ms. Kofman. Yes, they can also call our call center and get 
that information as well. We shared information with the three 
largest chambers and our brokers so our brokers can share that 
information with their customers. And, so, we have different 
ways that we have shared both the Experian codes and the 
information on how to sign up for the 3-year protection.
    Ms. Norton. We understand, Ms. Kofman, that the open rate 
for emails was between 22 percent and 32 percent. So 
theoretically, many individuals impacted by the breach are not 
aware that their data was stolen.
    Ms. Kofman. The open rates for the notices, I think, is 
what you quoted. That is how many people actually looked at the 
notice. And, so, we are not relying solely on the email or the 
information in the account, and that is why we did three public 
updates and we created a special web page on dchealthlink.com. 
Initially, we had a pop-up, so that is the first thing you see 
when you go to dchealthlink.com that we suffered a data breach. 
But that is precisely why we are working with stakeholders, 
like the business community and our brokers and our D.C. Health 
Link-certified assisters to help get the word out and encourage 
people to avail themselves of the 3-year identity theft and 
credit monitoring protection for all three major credit 
bureaus.
    Ms. Norton. Well, Ms. Kofman, has the authority explored a 
digit----
    Ms. Mace. Ms. Norton, we are about two-and-a-half minutes 
over.
    Ms. Norton. I know, but everybody----
    Ms. Mace. Everybody got about two-and-a-half minutes over.
    Ms. Norton. OK.
    Ms. Mace. Well, you and Timmons did not, so. About 30 more 
seconds, please.
    Ms. Norton. Well, I must note that everybody took more 
time, and since I am more deeply involved than everyone else--
--
    Ms. Mace. No. Yes, ma'am, and I am giving you more time. 
You are at almost 3 minutes over.
    Ms. Norton. All right. OK.
    Ms. Mace. Which will be the most that anybody had today, so 
thank you.
    Ms. Norton. All right. I am almost through. Ms. Kofman, has 
the authority explored additional methods of notifying D.C. 
residents besides email, such as text, phone call, or paper 
mail?
    Ms. Kofman. We are looking at all options available to help 
notify people.
    Ms. Norton. Finally, Ms. Kofman, what metrics and 
evaluative tools are you using to assess the effectiveness of 
your outreach strategies?
    Ms. Kofman. Well, we looked at the industry, what Experian 
and other major credit bureaus report for take-up rates in case 
of breaches, and Experian reports 5-to 10-percent take-up rate. 
Ours is currently is 19.1 percent, so above their reported 
average. Equifax reports 4 percent take-up rate. So right now, 
we are at 19.1 percent, but as I mentioned earlier, obviously 
we want everyone whose information was stolen to avail 
themselves of this protection.
    Ms. Norton. Thank you.
    Ms. Mace. Thank you, Ms. Norton. I would now like to 
recognize Congressman Steil for 5 minutes maybe.
    Mr. Steil. I will try to keep it at 5. This is an important 
topic. Chair Mace, Chair Loudermilk, thanks for doing this, the 
Ranking Members as well, Ms. Szpindor, Ms. Kofman for being 
here and going through this.
    Last month, Members of the congressional community, 
including over 800 House Members, staff, and family members, at 
a minimum had their private information unnecessarily exposed 
after the breach of the D.C. Health Link. To me, the goal of 
our hearing today is how did this happen, what steps are being 
taken to protect the information of those exposed, and ensuring 
it never happens again. We received the seven-page forensic 
report. Ms. Kofman, did I hear you that that is the final 
report or is that the preliminary report?
    Ms. Kofman. The report we shared with the Committee staff 
is Mandiant's incident report.
    Mr. Steil. Yes, and that is not the preliminary report, 
that is the report?
    Ms. Kofman. I believe that is the report on the incident.
    Mr. Steil. Let me then come in. I thought it was the 
preliminary report when I read it. It is seven pages. It is 
wildly underwhelming if that is the final report. I think that 
is something we will look into more broadly. Go ahead, Ms. 
Kofman.
    Ms. Kofman. So, in addition to the getting Mandiant in 
right away to help us with the incident response, and that is 
the report you have, I have asked external cybersecurity 
experts to look at our entire system, which includes looking at 
our code, looking at the AWS environment to make----
    Mr. Steil. So, see if I get this correct. So, there is 
another vendor separate of Mandiant that is producing this 
review?
    Ms. Kofman. We have several different expert vendors who 
are looking at our entire system. And what I have committed to 
doing earlier is providing you with information as we have 
information from external experts who are looking at our entire 
system to make sure, one, there is no malicious actor in our 
system----
    Mr. Steil. Understood. I got a lot of questions and, I do 
not know if I have a short amount of time, but a short amount 
of time to go through this, so I appreciate that. I will just 
say that the Mandiant report was wildly underwhelming. I will 
leave it there for now. You noted, I think, Ms. Kofman, you 
said to Ms. Mace that this vulnerability may have existed for 5 
years. Is that accurate?
    Ms. Kofman. The server in question was misconfigured mid-
2018 when it was being configured to work with Slack.
    Mr. Steil. So, you will say misconfigured, I will say 
vulnerable, but the problem existed since 2018?
    Ms. Kofman. We are figuring out when exactly the issues 
occurred.
    Mr. Steil. OK.
    Ms. Kofman. But the configuration was done in mid-2018, and 
so another external expert on cybersecurity is doing a full 
investigation for me to identify all those facts.
    Mr. Steil. Understood, and I appreciate that. Ms. Szpindor, 
I appreciate you being here. How often is the House of 
Representatives the target of a cyberattack?
    Ms. Szpindor. Every single moment of every day.
    Mr. Steil. Continuously?
    Ms. Szpindor. Continuously.
    Mr. Steil. Every moment, every day, we are the target of 
attacks. The CAO's Office of Cybersecurity works around the 
clock to ensure to protect Members and staff that our data is 
protected. Is that accurate because we are getting attacked 
around the clock.
    Ms. Szpindor. Yes, sir. It is all the cyber team plus me 
to----
    Mr. Steil. And I appreciate and let me say, I know you got 
a lot of folks on your team that do a great job on behalf of 
both the staff and the Members here, and thank you to you and 
your staff for the work you guys do literally around the clock 
in particular as it relates to IT. Any vendor wishing to do 
business with the U.S. House of Representatives, it has got to 
go through a vigorous and rigorous assessment by the CAO in 
order to be approved and granted access to our systems. Is that 
correct?
    Ms. Szpindor. Correct.
    Mr. Steil. And would a vulnerability exist for years in the 
House? Would a vulnerability be able to exist for years before 
it is detected?
    Ms. Szpindor. I would think it would be very, very hard to 
have a vulnerability out there that we would not detect for 
that length of time.
    Mr. Steil. Yes. OK. So, I mean it is obviously, in theory 
it is possible, but we got a really rigorous system here in the 
House. We do not think that happens because we have systems in 
place that we would catch it.
    Ms. Szpindor. Yes.
    Mr. Steil. And that is why we have a high standard. And the 
breach that occurred did not occur in any system under your 
control the U.S. House of Representatives, right?
    Ms. Szpindor. That is correct.
    Mr. Steil. And, so, the PII that is out there was because 
there was a vendor that was not vetted by the U.S. House 
Representative system, right?
    Ms. Szpindor. Correct.
    Mr. Steil. And Members and staff are required to 
participate in this Exchange due to a law that was written by 
Congress, a Federal law. Is that right?
    Ms. Szpindor. Correct.
    Mr. Steil. And, so, the breach that occurred, occurred on a 
vendor that does not meet the House's standards. Is that 
accurate? The standard that the vendor had and the error the 
vendor had would not meet the standard that you have for 
vendors to the U.S. House of Representatives, right?
    Ms. Szpindor. With this current breach.
    Mr. Steil. OK. And, so, Ms. Mace asked, Ms. Szpindor, if I 
can, as the Chief Information Officer of the House and the 
current CAO, knowing what you do about cybersecurity practices 
of the D.C. Health Exchange Authority and the vulnerability 
that led to this breach, would you recommend D.C. Health 
Exchange Authority as a secure vendor with which the House 
could confidently do business?
    Ms. Szpindor. I am not sure that I would----
    Mr. Steil. Well, they are below your standards, so I cannot 
fathom you would recommend that we would do this with them.
    Ms. Szpindor. If we were doing an evaluation today.
    Mr. Steil. If you did an evaluation today of the standard 
that existed before the breach, would they pass or fail? They 
would fail.
    Ms. Szpindor. Right.
    Mr. Steil. Right?
    Ms. Szpindor. Right.
    Mr. Steil. But Members are still doing business with the 
D.C. Health Exchange today. I will tell you as Chairman of the 
Committee on House Administration, I look forward to working 
toward solutions to ensure that we serve this institution, and 
we are not in this position ever again. I appreciate our 
witnesses being here. Madam Chair, I yield back.
    Ms. Mace. Thank you. I would now like to give 5 minutes to 
Congressman Griffith.
    Mr. Griffith. I thank the gentlelady, and I apologize that 
I have not been able to participate and be a part of this 
hearing up to this point in time. I was chairing another 
subcommittee hearing where we were dealing with issues related 
to data brokers. But this is an important hearing, and I look 
forward to getting all the information, not just the part I 
have been able to sit in on for the last, say, 15 minutes. With 
that, I would yield my time to my colleague from the great 
state of Georgia, Mr. Loudermilk.
    Mr. Loudermilk. I appreciate that from my friend and 
colleague from Virginia. And I am going to try to keep this 
within our timeframe, so we can actually set a record in here 
that somebody stayed within the 5-minutes. And I just want to 
complete some of the questioning that I was doing earlier. Ms. 
Szpindor, as I know, but as you can explain, the House employs 
a number of information systems officers, is that correct?
    Ms. Szpindor. Correct.
    Mr. Loudermilk. Can you please elaborate on the role of 
these individuals as it relates to, as you mentioned, 
continually monitoring House-approved vendors?
    Ms. Szpindor. Yes, I will be glad to. The individuals that 
we have that work within our cybersecurity group that are known 
as security systems officers, there are five of them. And they 
are essentially responsible for when a request comes in from a 
vendor, and we are beginning the ATO process to determine their 
viability as a vendor. They make sure that all the steps are 
followed, that we have done the evaluation as it was intended 
to be done, and these individuals work around the clock. So 
far, we have authenticated 36 different systems and have nine 
in progress. But these ATOs are reevaluated on a continuous 
basis, so these individuals stay very busy.
    Mr. Loudermilk. So, in short, you may say that they are 
always checking the work?
    Ms. Szpindor. Yes.
    Mr. Loudermilk. OK.
    Ms. Szpindor. And by the way, we are talking about our 
PeopleSoft system and some of our other large systems that we 
have as well as part of that.
    Mr. Loudermilk. OK. Thank you for that. Ms. Kofman, does 
the D.C. Health Exchange have information system security 
officers on staff?
    Ms. Kofman. We do, and may I address something else? There 
has been a lot of assertions, many assertions made about how 
secure our system is. Let me just say we use Cloudflare, 
FortiGate, Splunk, Tenable, and other security technologies 
that U.S. intelligence agencies use, Fortune 100 companies use, 
U.S. Secret Service, Homeland Security, and the list goes on. 
We have 24/7 monitoring. We have been under attack since we 
opened for business October 1, 2013.
    Mr. Loudermilk. I understand that, and that is an 
impressive list. But the fact remains there was a breach, that 
it goes to the security in the operations, having those 
systems, having those devices, just as Equifax learned, unless 
they are continually monitored, unless the oversight is given, 
unless the policies and procedures that you have address 
potential human error and that they are enforced, you are going 
to have these types of breaches. I want to continue on my 
questioning though. You said, yes, that you do have information 
system security officers on staff, how many?
    Ms. Kofman. Correct. In addition to an outside firm we use 
to help us with 24/7 monitoring of our system, we have full-
time people. We have four people on staff who work in addition 
to the outside firm we use.
    Mr. Loudermilk. Those four people, they are considered 
information systems security officers, not just IT folks, not 
just programmers, not just network analysts, they are 
specifically for security?
    Ms. Kofman. They only work on cybersecurity.
    Mr. Loudermilk. OK. And, so, you have four, and you said a 
vendor?
    Ms. Kofman. And we use supplemental staff from a 
cybersecurity company to supplement the four, and then 
internally, when we need to pull in more people, we do.
    Mr. Loudermilk. So, do these four that you have alluded to, 
do they continually monitor and test your vendors for 
cybersecurity vulnerabilities?
    Ms. Kofman. Yes, they test everything. They look at the 
code, they look at the environment, they engage in pen testing. 
They look at, you know, the 24/7 logs we get.
    Mr. Loudermilk. Do they look at server configurations?
    Ms. Kofman. They look at everything.
    Mr. Loudermilk. But something got missed?
    Ms. Kofman. Something got missed, and that is why I wanted 
an external investigator to help me figure out how we missed 
this, why it was missed, so it never gets repeated again.
    Mr. Loudermilk. Well, since Mr. Griffith took about 45 
seconds to yield to me, I technically made it within my time. I 
yield back to Mr. Griffith.
    Ms. Mace. Thank you.
    Mr. Griffith. And I yield back to the Chair.
    Ms. Mace. Thank you. In closing today, as we wrap this up, 
I want to thank our panelists once again for their testimony 
today and those Members of Congress who showed up and asked 
tough questions. I appreciate the witnesses' participation and 
willingness to discuss the data breach at the D.C. Health 
Exchange. Questions remain. We still do not know what a 
misconfigured server by D.C. Health Link standards is. We know 
when it was misconfigured. We do not know who misconfigured it 
or how it was misconfigured, and the Mandiant report was pretty 
lame and uninformed. So, Ms. Kofman, I hope you and your team 
will continue to cooperate with Congress and with this 
Committee. Please keep us posted about any future reports 
related to the data breach and actions taken by the Exchange in 
response to the breach. Will you commit to that?
    Ms. Kofman. Yes.
    Ms. Mace. With that and without objection, all Members have 
5 legislative days within which to submit materials and submit 
additional written questions for the witnesses which will be 
forwarded to the witnesses for their response.
    Ms. Mace. If there is no further business, without 
objection, we are adjourned.
    [Whereupon, at 4:34 p.m., the Subcommittees were 
adjourned.]