Set Written Standards To Determine Authority To Access Systems

May 28, 2025

The District of Columbia Health Benefit Exchange Authority (HBX) has agreed to settle a class action lawsuit stemming from a 2023 data breach.

HBX operates the Affordable Care Act online health insurance marketplace, DC Health Link, which residents and small businesses in the District use to obtain affordable health coverage.

In March 2023, HBX confirmed that the data of some DC Health Link customers had been accessed by an unauthorized individual and released on a public forum. The data related to residents of the Washington DC area, including members of Congress and their families. HCX confirmed that 56,415 customers had their data stolen and published online, although in total, up to 170,000 individuals may have been affected.

The remaining individuals were notified out of an abundance of caution. The data compromised in the incident included name, Social Security number, date of birth, gender, health plan information, employer information, and enrollee information.

Legal action was taken by victims of the data breach claiming HCX failed to implement reasonable and appropriate cybersecurity measures to prevent unauthorized access to customer data, and had those measures been implemented, the data breach could have been prevented.

Several lawsuits were filed in response to the data breach, which were consolidated into a single action in the U.S. District Court for the District of Columbia- Lawless, et al. v. District of Columbia Health Benefit Exchange Authority d/b/a DC Health Link. HCX opted to settle the lawsuit with no admission of wrongdoing or liability to avoid the risk and uncertainty associated with continuing with the litigation.

Source: https://www.hipaajournal.com/district-of-columbia-health-benefit-exchange-authority-data-breach-settlement/

Commentary

The source states that an "unauthorized individual" had access to the data and released the data on a public forum.  The term "unauthorized individual" refers to someone who accessed and released the data without proper permission

Unauthorized individuals can be:

  • Employees: Even if they work for the organization, employees who access data or systems beyond their authorized scope are considered unauthorized.
  • Ex-employees: Former employees that once had access but no longer have permission, or should no longer have permission, to access that release data.
  • Contractors: Contractors or former contractors who do not have the necessary permissions to access certain information or systems are also considered unauthorized.
  • Cybercriminals: These individuals can include cyber gangs, hackers or nation states that break into systems or use malware, phishing, or other cyber-attacks to gain access to sensitive information.

Organizations need to establish clear and robust access control policies to ensure that only authorized individuals can access sensitive data and systems.

Here are some key steps to define who has access and who does not:

  • Role-Based Access Control (RBAC): Implementing RBAC ensures that access to systems and data is granted based on the user's role within the organization. For example, healthcare providers may have access to patient records, while administrative staff may only have access to billing information.
  • Least Privilege Principle: This principle involves granting users the minimum level of access necessary to perform their job functions. By limiting access, organizations can reduce the risk of unauthorized data exposure.
  • Regular Audits and Monitoring: Conducting regular audits and monitoring access logs can help identify and address any unauthorized access attempts. This proactive approach ensures that access controls remain effective and up to date.
  • Employee Training: Educating employees about the importance of data security and their role in maintaining it is crucial. Training sessions can help employees understand the organization's access control policies and the consequences of unauthorized access.
  • Multi-Factor Authentication (MFA): Implementing MFA adds an extra layer of security by requiring users to provide multiple forms of verification before accessing sensitive systems. This can significantly reduce the risk of unauthorized access.
Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

When Security Protocols Are Ignored, Expensive BEC Risks Escalate?

A survey claims that approximately 65 percent of employees ignore security protocols. That is bad news when security protocols are the first line of defense to BEC attacks. We explain.?

Set Written Standards To Determine Authority To Access Systems

A health benefit exchange experiences a data breach in 2023. We examine and discuss "unauthorized access" and establishing authorizations standards.

User Access Controls For Lowering Internal And External Fidelity Risks

An employee with financial access steals more than $2M for luxury items. We explore the crime and the value of limiting access to data to only a few.

Should American Employers Offer Hangover Leave? You Make The Call

A Japanese company offers hangover leave to attract and retain staff. Does that make sense for your organization? You make the call and join the conversation.

Having Multiple User Accounts Creates High Risk Of Internal Breaches

Disney is rocked by a cyberbreach caused by a "disgruntled" ex-employee. How can your organization avoid the pain of a cyberattack from an insider with grievances? We examine.