PII of Lawmakers and Capitol Hill Staff Stolen in DC Health Link Data Breach
The personal information of lawmakers and staffers has been stolen in a cyberattack on the health insurance marketplace, DC Health Link. DC Health Link serves around 100,000 people, including 11,000 Congress members and staffers. The investigation into the data breach is still in the early stages so it is currently unclear how many Congress members and staffers have been affected. At this stage of the investigation, it appears that the hacker behind the attack did not specifically target the personally identifiable information (PII) of members of Congress or the House of Representatives.
House Chief Administrative Officer, Catherine Szpindor, issued a statement confirming there had been “a significant data breach” that potentially involved the theft of the PII of thousands of enrollees. She said the Federal Bureau of Investigation (FBI) has been assisting with the investigation and believes the PII of hundreds of Congress members and staffers has been stolen. She also confirmed that some DC Health Link Customer data has been exposed on a public forum. An investigation is currently underway to determine how access to the health insurance marketplace was gained and the extent of the data breach. She recommends credit freezes be placed with the three main credit bureaus as a precaution and to also extend those credit freezes to spouses and dependents, as their information may also have been compromised.
Senate members were notified about the data breach via email by the Senate Sergeant at Arms, who said the stolen data included full names, dates of enrolment, relationship (self, spouse, child), and email addresses, and that no other PII appeared to have been compromised. House Speaker Kevin McCarthy (R-CA) and House Minority Leader Hakeem Jeffries (D-NY) sought further information about the data breach from DC Health Link and the actions that were being taken in response to the breach.
An established member of a hacking forum was attempting to sell the stolen data, which was claimed to include the PII of 170,000 individuals and included personal information, dates of birth, the names of spouses and dependents, Social Security numbers, and other sensitive information. A sample of the PII of 11 individuals was added to the listing as proof that the dataset was legitimate.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
McCarthy and Jeffries said the FBI purchased some of the data and confirmed that Social Security numbers were included along with other sensitive information. The hacker appeared not to have realized the dataset included the PII of members of Congress and staffers; however, now that the data breach has been made public that will be abundantly clear. The hacker has since updated the post to indicate the data has been sold. A spokesperson for the DC Health Benefit Exchange Authority, which runs DC Health Link, said credit monitoring services are being offered to affected individuals.
Update:
On March 10, 2023, DC Health Benefit Exchange Authority confirmed that 56,415 plan members were affected.
