Members of the House and Senate were informed Wednesday that hackers may have gained access to their sensitive personal data in a breach of the Washington, DC health insurance marketplace. Legislators’ employees and their families were also affected.
DC Health Link confirmed that the data of an unspecified number of customers was affected and said it was notifying them and working with law enforcement. It said it was offering an identity theft service to those affected and extending credit monitoring to all customers.
The FBI said it was aware of the incident and was assisting in the investigation.
A broker on an online crime forum claimed to have records for 170,000 DC Health Link customers and was offering them for sale for an unspecified amount. The broker claimed they were stolen on Monday. Contacted by The Associated Press on an encrypted chat site, the broker would not say whether the data had been purchased and said he could not provide additional data to support the claim. They said they were acting on behalf of the seller, whom they identified as “thekilob.”
Samples of stolen data were posted on the site for a dozen apparent clients. It included Social Security numbers, addresses, employer names, phone numbers, emails, and addresses. The AP reached one of the dozen by dialing a number on the list.
“Oh my gosh,” the man said when told the information was public. All 12 people listed work for the same company or are family members.
In an email to all Senate email account holders, the sergeant-at-arms said he was told the stolen data included the full names of the policyholders and their family members. An email sent by the House Chief Administrative Office office on behalf of House Speaker Kevin McCarthy and Minority Leader Hakeem Jeffries called the violation “egregious” and promised to provide updates. He urged members to use credit monitoring and identity theft resources.
The Senate email recommended that anyone registered with the health insurance exchange freeze their credit to prevent identity theft.
In an emailed statement, Rep. Joe Morelle of New York said Capitol Police informed House leaders that DC Health Link “suffered an extraordinarily large data breach of member information” that represented a “great risk” for members, employees and their families. . “At this time, the FBI has yet to determine the cause, size and scope of the data breach affecting DC Health Link,” Morelle said.
The hack follows several recent breaches affecting US agencies. Hackers broke into a US Marshals Service computer system and activated the ransomware on February 17 after stealing personally identifiable data about agency employees and investigation targets.
An FBI computer system was recently breached at the bureau’s New York field office, CNN reported in mid-February. When asked about that intrusion, the FBI issued a statement calling it “an isolated incident that has been contained.” He declined to comment further, including when it happened and whether ransomware was involved.
There was no indication that the health breach was related to ransomware.
Related: Patient information compromised in data breach at San Diego healthcare provider
Related: Data breach at Louisiana healthcare provider affects 270,000 patients
Related: Data breach at PFC USA affects patients of 650 healthcare providers