Congress health data breach creates huge risks
WASHINGTON – House leaders say the impact of a hack of a health insurance marketplace used by members of Congress “could be extraordinary,” exposing sensitive personal data of lawmakers, their employees and families.
DC Health Link, which runs the exchange, said an unspecified number of customers were affected and it was notifying them and working with law enforcement to quantify the damage. It said it was offering identity theft service to those affected and extending credit monitoring to all customers.
Some 11,000 of the exchange’s more than 100,000 participants work in the House and Senate or are relatives.
In a letter to the exchange’s director posted on Twitter, House Speaker Kevin McCarthy and Minority Leader Hakeem Jeffries said the breach “significantly increase the risk that Members, staff and their families will experience identity theft, financial crimes, and physical threats.”
They said the FBI had informed them it was able to purchase the stolen data on the dark web, where it was offered for sale for an unspecified amount Monday on a hacker forum popular with cybercriminals. The FBI said in a statement Wednesday it was aware of the incident and was assisting.
In the letter, McCarthy and Jeffries said “the individuals selling the information appear unaware of the highlevel sensitivity of the confidential information in their possession, and its relation to Members of Congress” but that would change as media reports publicized the breach.
They said the FBI had not yet determined the extent of the breach but that thousands of House members, employees and their families have enrolled in health insurance through DC Health Link since 2014. “The size and scope of impacted House customers could be extraordinary.”
It was not clear whether and how the FBI could guarantee that copies of the stolen data are not circulating in the cybercrime
“The size and scope of impacted House customers could be extraordinary.” House Speaker Kevin McCarthy and Minority Leader Hakeem Jeffries
In a letter to the health exchange’s director
underworld.
In the sale offer, a broker on the online crime forum claimed to have records on 170,000 DC Health Link customers and said they were stolen Monday. Reached on Wednesday via encrypted chat, the broker claimed to be acting on behalf of a seller known as “thekilob.”
By Thursday, the offer and sample stolen data posted to the forum had been removed. The data listed Social Security numbers, addresses, names of employers, phone numbers, emails and addresses for a dozen DC Link participants. The AP reached one by phone on Wednesday evening.
“Oh my God,” the man said when informed the information was public. All 12 people listed work for the same company or are family members.
In an email to all Senate email account holders on Wednesday, the sergeant at arms recommended that all those registered on the health insurance exchange freeze their credit to prevent identity theft.
An email sent out by the Chief Administrative Office of the House on behalf of McCarthy and Jeffries called the breach “egregious” and urged members to use credit and identity theft monitoring resources.
The hack follows several recent breaches affecting U.S. agencies. Hackers broke into a U.S. Marshals Service computer system and activated ransomware Feb. 17 after stealing personally identifiable data about agency employees and targets of investigations.