WASHINGTON - Today, House Administration Subcommittee on Oversight Chairman Barry Loudermilk (GA-11) delivered opening remarks at a joint hearingwith the Committee on Oversight and Accountability Subcommittee on Cybersecurity, Information Technology, and Government Innovation entitled, "Data Breach at the D.C. Health Exchange."

Click the image or here to view Chairman Loudermilk's Opening Statement.

Chairman Loudermilk's Opening Statement:

Thank you, Chair Mace, for partnering with our subcommittee to hold this joint hearing, and for hosting us in your committee room here today.

On March 6th, data was breached from the DC Health Exchange and posted on the dark web.

As a result, the personal identifiable information of tens of thousands of people was exposed.

This includes over 800 Members of Congress, their staff, and families who are required by law to use D.C. Health Link.


The fact that such a breach was able to occur left our congressional community in shock.

It is well-known that the United States Congress is a key target for cyber-attacks, both foreign and domestic.

That’s why the Chief Administrative Officer has an Office of Cybersecurity that sets high standards for vendors and contractors hoping to do business with the House.

These safeguards help protect members, staff, and their family's data from thousands of cyber-attacks every month.

Unfortunately, the DC Health Link is not subject to those same standards.


Prior to serving in Congress, I spent 30 years in the information systems industry, so I know just how vital it is to ensure there are high standards and protocols in place when dealing with personal identifiable information.

Our goal for today’s hearing is twofold.

First, we must learn how this breach was able to happen and how we can minimize the harm to all individuals impacted.

Second, we must discuss improvements that those who support the House need to make to ensure that those impacted by this breach are never put in this position again.

I’d also like to discuss the preliminary findings from the forensic report produced by Mandiant, a well-known cybersecurity firm that was hired by the DC Health Exchange in the aftermath of the breach.

That 7-page report was shared with us on Friday, and while we were hoping it would provide more clarity, we were left scratching our heads.

We still do not know who is behind the attack.

We still do not know if the data is for sale on other areas of the dark web.

We still do not know how much data the hacker accessed.

And we still do not know exactly how this was able to occur.


However, the report largely blames Amazon Web Services when, interestingly enough, Mandiant is a subsidiary of Google, one of AWS’s largest competitors.

While we invited representatives from Mandiant to come and testify today and answer some of our questions, they declined.

That is disappointing.

This breach occurred at a time when threats to members of Congress are still at historic highs.

I know this firsthand.

It’s unacceptable that over a month later, we still don’t have answers, and continue to be left in the dark.

I look forward to getting answers and learning what steps we can take to better protect this information.