DC healthcare exchange breach leaked sensitive data of Congress members, staff
A data breach involving Washington, D.C.’s healthcare exchange platform includes sensitive information of Congress members and staff, the legislative body was informed on Wednesday.
According to a letter from Catherine Szpindor, the House's chief administrative officer, the breach leaked the personal information from enrollees on the DC Health Link website. The Daily Caller first obtained the letter.
She wrote that the FBI had informed her that hundreds of those affected either held office or were staff. She expected to receive more concrete information about who exactly had their information leaked by Thursday.
On Monday, a purported hacker on the forum Breached said they obtained a database with the personal information of about 170,000 people. The hacker claimed it included names, ID numbers, policy IDs, Social Security numbers, plan names, employers, addresses and much more.
The hacker asked for payment in the Monero cryptocurrency, and by Wednesday the post was updated to say the database had been sold.
DC Health Link — a health insurance marketplace for D.C. residents — did not respond to repeated requests for comment earlier in the week, but on Wednesday night told The Record that the data stolen was legitimate.
The breach is the second incident in recent weeks involving sensitive federal data, with the U.S. Marshals Service suffering a ransomware attack in February that leaked troves of information.
DC Health Link spokesperson Adam Hudson confirmed that the marketplace’s data was exposed on the public forum and said the organization is “working with forensic investigators and law enforcement.”
The Health Benefit Exchange Authority (@DCHealthLink), Washington DC's health insurance marketplace, may have suffered a #databreach after a database allegedly containing personal information about 170K individuals was offered up for sale on a data leaks forum...@DCGovWeb pic.twitter.com/HQ7qAHkHfS— BetterCyber (@_bettercyber_) March 6, 2023
“Concurrently, we are taking action to ensure the security and privacy of our users’ personal information,” he said. “We are in the process of notifying impacted customers and will provide identity and credit monitoring services … The investigation is still ongoing and we will provide more information as we have more to share.”
Szpindor urged potential victims to freeze their credit so no credit cards can be opened or loans can be taken out in a person’s name.
She added that House leaders Kevin McCarthy (R-CA) and Hakeem Jeffries (D-NY) “formally requested additional information from DC Health Link on what data was taken, who was impacted, and what steps they are taking to protect House victims of this breach.”
NBC News reported that the Senate sergeant at arms had sent a similar letter to that chamber of Congress. NBC also obtained a letter sent by McCarthy and Jeffries to the marketplace claiming the FBI had purchased some of the leaked material. The FBI did not respond to requests for comment.
The breach came on the same day that the Department of Health and Human Services (HHS) issued new voluntary cybersecurity guidance for health care organizations looking to bolster their cybersecurity
Sen. Mark Warner (D-VA) said cybercriminals “continue to target health systems in order to steal or hold for ransom the sensitive medical data of American patients and jeopardize the daily operations of health care providers.”
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.