A breach of D.C.’s health insurance exchange last month that affected more than 56,000 customers was the result of a misconfigured server, the executive director of the D.C. Health Benefit Exchange Authority told congressional lawmakers in written testimony this week.

According to director Mila Kofman, a cyber security incident response firm completed its investigation into the breach last week, concluding it centered on a server used for generating and storing automated jobs and reports. Both the U.S. Capitol police and the FBI had been called on to investigate as well.

The breach compromised the basic personal information (things like date of birth, Social Security numbers, and contact information) of 56,415 current and past DC Health Link customers, including members of Congress.

“Let me be clear at the outset: the cause of this breach was human mistake,” Kofman wrote in pre-submitted testimony ahead of a House Oversight and Accountability subcommittee focused on cybersecurity and information technology later Wednesday afternoon. “Based on on our investigation to-date, we believe the misconfiguration [of the server] was not intentional but human mistake.”

Kofman’s testimony states that due to the wrongly configured server, “intruders” were able to access two DC Health Link reports that included the personal information of 17 members of the House of Representatives and 43 of their dependents, and 585 House staff members and 231 of their dependents. Officials became aware of the breach on March 6, after some of the stolen data was listed for sale on the dark web.

Although officials were alerted to the issue and began an investigation with the FBI on March 6, many people holding insurance plans through DC Health Link were left confused about the status of their personal information for several days. When news of the breach broke on March 9, several customers told DCist/WAMU that this was the first they had heard about it.

Kofman defends the D.C. Health Benefit Exchange Authority’s effort toward transparency in her testimony, stating that the authority updated the public on March 8, 10, and 14, and set up a dedicated question-and-answer page on DC Health Link’s website. They also briefed congressional committees, several D.C.-based business community groups, and in the days following the breach, offered three years of free identity and credit monitoring to all customers. Kofman said teams worked “around the clock” to shut down the breach, and she praised the authority’s quick response.

“We are not shying away from this breach. We have been and remain committed to being open and transparent,” she wrote. “I want to reiterate how deeply sorry we are that two reports were stolen with personal sensitive data of 56,415 past and current customers.”

DC Health Link serves roughly 100,000 people, including employees at over 5,000 small businesses in D.C. and 11,0000 members of congress and their staffers. The online exchange lets users or businesses shop for private health insurance plans, like UnitedHealth, Aetna, CareFirst Bluecross BlueShield, and Kaiser. It was one of the first new health exchanges to open to the public in 2013.

The breach was far from the city’s first brush with hackers; there have been a number of several issues in recent years. In 2022, a Department of Human Services hack left cash missing from residents’ EBT cards, and in 2021, the D.C. Police Department was targeted in a hacking ransom scheme. Hackers demanded $4 million from the Metropolitan Police Department to return stolen data, and eventually released 250 gigabytes of what they claimed to be police files.

This is also not the first time in recent weeks that local leaders have found themselves on Capitol Hill, defending themselves before Congress. As a part of the recent Republican meddling into D.C. affairs, last month local lawmakers like D.C. council chairman Phil Mendelson and former chair of the council’s judiciary committee Charles Allen (D-Ward 6) sat through a four-hour hearing about crime in D.C., held by Republicans in the House Committee on Oversight and Accountability. And Mayor Muriel Bowser is slated to testify at a congressional hearing on crime, homelessness, and the city’s finances in May.

As Kofman presents her testimony and prepares to answer questions on Wednesday, members of the House of Representatives will gather to vote on a bill that would block D.C.’s police reform legislation. While it’s expected to pass a Republican-held House, President Joe Biden has already said he’ll veto the measure.