The breach of a Washington, DC, health insurance marketplace may have allowed hackers’ access to members of the House and Senate’s sensitive personal information, it was revealed on Wednesday. The lawmakers’ staff members and their families also suffered.
DC Health Link is the organization in charge of administering the health care plans of members of the United States House of Representatives, their staff, and their families.
“DC Health Link suffered a significant data breach yesterday potentially exposing the Personal Identifiable Information (PII) of thousands of enrollees. As a Member or employee eligible for health insurance through D.C. Health Link, your data may have been comprised,” said Catherine L. Szpindor, the U.S. House Chief Administrative Officer.
Individuals affected were notified of the breach today via email from Catherine L. Szpindor, as first reported by DailyCaller.
“Currently, I do not know the size and scope of the breach, but have been informed by the Federal Bureau of Investigation (FBI) that account information and Pit of hundreds of Mernber and House staff were stolen”, said Szpindor.
“It is important to note that at this time, it does not appear that Members or the House of Representatives were the specific targets of the attack.”
Selling Information Stolen From DC Health Servers
The information about U.S. House members that were taken from the servers of DC Health Link is being sold on a hacking forum by at least one threat actor, known as IntelBroker, according to BleepingComputer.
Notably, the House CAO Szpindor’s email doesn’t mention the data that was stolen. Over 170,000 people were affected, and a sample of the stolen data with the database header reveals that it contains all of their personal information, including names, dates of birth, residences, phone numbers, email addresses, Social Security numbers, and more.
On Monday, March 6, the data was put up for sale, and IntelBroker alleges that it was stolen as a result of a hack into the DC.gov Health Benefit Exchange Authority.
“I am looking for an undisclosed amount in XMR cryptocurrency. Contact me on keybase @ IntelBroker. Middleman only,” says the threat actor.
Adam Hudson, the Public Information Officer for Health Benefit Exchange Authority, stated that some of the stolen data from DC Health Link were posted online and that notifications will be given to people affected in a statement to BleepingComputer.
“We can confirm reports that data for some DC Health Link customers have been exposed on a public forum. We have initiated a comprehensive investigation and are working with forensic investigators and law enforcement.
Concurrently, we are taking action to ensure the security and privacy of our users’ personal information. We are in the process of notifying impacted customers and will provide identity and credit monitoring services.
In addition, and out of an abundance of caution, we will also provide credit monitoring services for all of our customers. The investigation is still ongoing and we will provide more information as we have more to share.”
Network Security Checklist – Download Free E-Book