Content, Malware

Hackers Steal Health Records from Congressional Members on D.C. Health Exchange

Search Hacked warning on laptop Concept of privacy data being hacked and breached from internet technology threat. 3d renderring.

Hackers last week broke into the health insurance online marketplace for Washington, D.C. and rifled the personal identifiable information (PII) of hundreds of Congressional legislators and staff, according to the exchange’s chief administrator.

56,000 Customers Impacted

Some 56,000 of the marketplace’s 100,000 customers were impacted by the DC Health Link data breach, the DC Health Benefit Exchange Authority, which operates the online site, said on Friday, March 10, 2023, NBC News reported.

Compromised data included Social Security numbers, birth dates, gender, health plan information, employer information and enrollee information, such as address, email, phone number, race, ethnicity and citizenship status.

DC Health Link offers health care plans for members of Congress and some staffers. Roughly 11% of the exchange’s members work in Congress, either in D.C. or district offices nationwide.

In a letter to the exchange's director posted on Twitter, House Speaker Kevin McCarthy, (R-CA) and Minority Leader Hakeem Jeffries, (D-NY) said the breach “significantly increases the risk that Members, staff and their families will experience identity theft, financial crimes, and physical threats.”

In a letter obtained by NBC News following a Twitter post by the Daily Caller, DC Health Link Chief Administrative Officer Catherine L. Szpindor acknowledged last week that the online marketplace had been victimized by a data breach. Szpindor said she had been alerted to the incident by federal and local law enforcement.

Commenting on the matter, Szpindor said:

“Currently, I do not know the size and scope of the breach but have been informed by the Federal Bureau of Investigation (FBI) that account information and of hundreds of Member and House staff were stolen. I expect to have access to the list of impacted enrollees later today and will notify you directly if your information was compromised.”

Szpindor added that it did not appear that House lawmakers were “the specific target of the attack.”

Protection Plan Offered

DC Health Link enrollees will receive three years of free identity and credit monitoring if they want it, a spokesperson said.

"We are taking action to ensure the security and privacy of our users’ personal information," the spokesperson said in a statement. "We are in the process of notifying impacted customers and will provide identity and credit monitoring services."

NBC News said it had viewed a post on the dark web that advertised having DC Health Link data for sale. The post was listed ahead of when the breach was officially identified. The post now lists the data as sold.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.