A hacker has claimed that personally identifiable information (PII) belonging to several members of the US Congress may have been compromised in a cyberattack on DC Health Link, the online health insurance marketplace of the District of Columbia.
The data breach came to light earlier this week after DC Health Link announced that the FBI had informed them that some of the stolen information was already available for purchase on the dark web. DC Health Link is responsible for managing the healthcare plans of the US House of Representatives members, staff, and their families.
In an internal memo sent to staff members on Monday, the House Chief Administrative Officer, Catherine L. Szpindor, notified them of a “significant data breach,” which potentially exposed the sensitive personal details of thousands of employees.
The gravity of this incident cannot be overstated, as PII can be used for identity theft, financial fraud, and other malicious purposes. It is crucial that immediate action is taken to secure the compromised information and prevent further damage.
“As a member or employee eligible for health insurance through the DC Health Link, your data may have been comprised,” Szpindor stated.
“Currently, I do not know the size and scope of the breach but have been informed by the Federal Bureau of Investigation (FBI) that account information and PII of hundreds of members and house staff were stolen. It is important to note that at this time, it does not appear that members of the House of Representatives were the specific target of the attack,” she added.
House Speaker Kevin McCarthy and Minority Leader Hakeem Jeffries took action on Wednesday by sending an email to their colleagues to inform them about a breach that occurred. Their email addressed the seriousness of the situation, stating that the safety and security of all individuals in the Capitol Hill community is their top priority in light of the recent cyber hack. McCarthy and Jeffries described the incident as an “egregious security breach” and emphasized the importance of taking necessary steps to ensure the protection of everyone affected.
Chairman Steil is aware of the breach and is working with the CAO to ensure the vendor takes necessary steps to protect the PII of any impacted member, staff, and their families. https://t.co/6rI2sVbME7
— House Admin. Committee GOP (@HouseAdmin) March 8, 2023
The specifics surrounding the data breach that impacted DC Health Link are still uncertain, including its cause, size, and scope. However, on Monday, a post on a dark web forum suggested that the stolen material was up for sale. The post, made by a threat actor known as IntelBroker on Breachforum, claimed responsibility for breaching the DC[.]gov Health Benefit Exchange Authority and obtaining the personal information of members of the US House.
IntelBroker stated that they were selling this information to interested parties and specified that they would only accept an undisclosed amount in XMR cryptocurrency.
The compromised data, according to a report by BleepingComputer, included the personal information of approximately 170,000 individuals. This information encompasses sensitive data such as names, dates of birth, addresses, email addresses, phone numbers, Social Security Numbers, and other personal details. The threat actor further added that they had already sold the stolen information to at least one buyer.
Adam Hudson, a spokesman for the Health Benefit Exchange Authority, has confirmed the breach in a statement, acknowledging that the personal information of some DC Health Link customers had been exposed on a public forum.
“Concurrently, we are taking action to ensure the security and privacy of our users’ personal information. We are in the process of notifying impacted customers and will provide identity and credit monitoring services.”
The FBI has confirmed its knowledge of the incident and is providing assistance with the ongoing investigation.
“As this is an ongoing investigation, we do not have any additional information to provide at this time,” a spokesperson added.
This unfortunate incident underscores the need for heightened cybersecurity measures to protect sensitive information from cybercriminals. We urge everyone to take steps to safeguard their personal information and to remain vigilant in the face of ever-evolving cyber threats.