Mid March we wrote about a major leak of personal data of American users of the health insurance exchange in Washington, DC. As it turned out a month later, the leak became possible due to a banal mistake by one of the DC Health Link technical staff.

In a recent statement, Mila Kofman, executive director of the District of Columbia Health Benefit Exchange Authority, said the data breach was first discovered in early March and included basic personal information of American citizens, including date of birth, social security numbers and contact information. In total, the leak affected 56,000 current and past clients of the insurance exchange, including members of Congress, their families and staff.

Kofman said her office immediately engaged an FBI cybersecurity task force, which discovered the source of the leak. As it turned out, one of DC Health Link’s computer servers was “misconfigured.” In this regard, any tech-savvy attacker could easily access the databases on the server without proper authentication.

This security flaw has allowed hackers, who even got an interview last month to steal two large data registries containing customer information, some of which were later put up for sale on an online forum.

Kofman confirmed that the stolen data included confidential information from 17 members of the House of Representatives, 43 members of their families, as well as 585 members of the House of Representatives and 231 members of their families.

As a result, Kofman apologized to the victims for the leak, but praised her agency for quickly identifying and fixing the vulnerability, as well as for offering credit monitoring services to victims in a timely manner so that they would not unexpectedly suffer from the actions of any other scammers.

“We do not shy away from this violation. We have been and remain committed to openness and transparency,” says Kofman.

Data leaks from poorly configured servers have already become a kind of classic of the genre. Literally today we reported how hundreds of vulnerable Microsoft SQL servers were attacked by ransomware. Have you already taken care of the security of your servers?