Hackers last week broke into the health insurance online marketplace for Washington, D.C. and rifled the personal identifiable information (PII) of hundreds of Congressional legislators and staff, according to the exchange’s chief administrator.
56,000 Customers Impacted
Some 56,000 of the marketplace’s 100,000 customers were impacted by the DC Health Link data breach, the DC Health Benefit Exchange Authority, which operates the online site, said on Friday, March 10, 2023, NBC News reported.
Compromised data included Social Security numbers, birth dates, gender, health plan information, employer information and enrollee information, such as address, email, phone number, race, ethnicity and citizenship status.
DC Health Link offers health care plans for members of Congress and some staffers. Roughly 11% of the exchange’s members work in Congress, either in D.C. or district offices nationwide.
In a letter to the exchange's director posted on Twitter, House Speaker Kevin McCarthy, (R-CA) and Minority Leader Hakeem Jeffries, (D-NY) said the breach “significantly increases the risk that Members, staff and their families will experience identity theft, financial crimes, and physical threats.”
In a letter obtained by NBC News following a Twitter post by the Daily Caller, DC Health Link Chief Administrative Officer Catherine L. Szpindor acknowledged last week that the online marketplace had been victimized by a data breach. Szpindor said she had been alerted to the incident by federal and local law enforcement.
Commenting on the matter, Szpindor said:
“Currently, I do not know the size and scope of the breach but have been informed by the Federal Bureau of Investigation (FBI) that account information and of hundreds of Member and House staff were stolen. I expect to have access to the list of impacted enrollees later today and will notify you directly if your information was compromised.”
Szpindor added that it did not appear that House lawmakers were “the specific target of the attack.”
Protection Plan Offered
DC Health Link enrollees will receive three years of free identity and credit monitoring if they want it, a spokesperson said.
"We are taking action to ensure the security and privacy of our users’ personal information," the spokesperson said in a statement. "We are in the process of notifying impacted customers and will provide identity and credit monitoring services."
NBC News said it had viewed a post on the dark web that advertised having DC Health Link data for sale. The post was listed ahead of when the breach was officially identified. The post now lists the data as sold.