The DC Health Link, a health insurance marketplace used by members of Congress, recently suffered a data breach that could potentially expose sensitive personal data of lawmakers, their employees, and families. The leaders of the House of Representatives warned that the impact of this hack “could be extraordinary,” as thousands of people could be affected.
The DC Health Link has over 100,000 participants, with around 11,000 of them being House and Senate employees or their relatives. According to an official statement by the exchange, it has informed an unspecified number of customers about the breach and is working with law enforcement to assess the damage. The exchange is also offering identity theft services to those affected and extending credit monitoring to all customers.
Stolen Data Includes Social Security Numbers, Phones, Addresses, Emails, and Employer Names
The stolen data includes Social Security numbers, phones, addresses, emails, and employer names. In a letter to the exchange’s director posted on Twitter, House Speaker Kevin McCarthy and Minority Leader Hakeem Jeffries said that the breach “significantly increases the risk that Members, staff, and their families will experience identity theft, financial crimes, and physical threats.”
The FBI has not yet determined the extent of the breach, but thousands of House members, employees, and their families have enrolled in health insurance through DC Health Link since 2014. McCarthy and Jeffries said, “The size and scope of impacted House customers could be extraordinary.” They added that the FBI informed them that the stolen data was offered for sale on the dark web, where it was purchased for an unspecified amount on Monday on a hacker forum popular with cybercriminals.
Concerns Over Circulation of Stolen Data in Cybercrime Underworld
It is unclear whether and how the FBI can guarantee that copies of the stolen data are not circulating in the cybercrime underworld. On Thursday, a new user on the forum claimed that a hacker known as “thekilob” had stolen more than 55,000 records and exclaimed “Glory to Russia” in Cyrillic. Some of the most active cybercriminals are Russian speakers and operate with little interference from the Kremlin. The user posted 200 records from the hack online, and The Associated Press confirmed the sample’s authenticity with two of the victims listed.
Potential Impact on Victims
“This is big. This isn’t just like regular folks. This is everyone,” said one victim who works in Washington, D.C. In all, 24 people in her office had their records in the dump. To avoid further potential harm, the AP is not naming victims or their workplaces. An email sent out by the office of the Chief Administrative Office of the House on behalf of McCarthy and Jeffries called the breach “egregious” and urged members to use credit and identity theft monitoring resources.
Hacking as Part of a String of Recent Cybersecurity Incidents
This hack follows several recent breaches affecting U.S. agencies. In February, hackers broke into a U.S. Marshals Service computer system and activated ransomware after stealing personally identifiable data about agency employees and targets of investigations. An FBI computer system was also recently breached at the bureau’s New York field office. While there is no indication that the DC Health breach was ransomware-related, the incident highlights the need for organizations to prioritize cybersecurity to protect sensitive personal information.