WASHINGTON (AP) — Members of the House and Senate were informed Wednesday that hackers may have gained access to their sensitive personal data in a breach at a health insurance marketplace in Washington, DC. Employees of legislators and their families were also affected.
DC Health Link confirmed that data on an undetermined number of customers had been compromised and said it was notifying them and cooperating with law enforcement. It said it offered identity theft services to those affected and extended credit monitoring to all customers.
The FBI said it was aware of the incident and was assisting the investigation.
A broker on an online crime forum claimed to have data on 170,000 DC Health Link customers and listed them for sale for an undetermined amount. The broker claimed they were stolen on Monday. Reached by The Associated Press on an encrypted chat site, the broker did not say whether the data had been purchased and said they could not provide any additional data to support the claim. They said they were acting on behalf of the seller, whom they identified as “thekilob.”
Samples of stolen data were posted on the site from a dozen apparent customers. It included social security numbers, addresses, names of employers, phone numbers, emails, and addresses. The AP reached one of a dozen by dialing a listed number.
“Oh my god,” the man said when informed that the information was public. All 12 persons mentioned work for the same company or are family members.
In an email to all Senate email account holders, the sergeant at arms said he was informed that the stolen records included the full names of the insured and family members. An email sent by the Office of the Chief Administrative Office of the House on behalf of House Speaker Kevin McCarthy and Minority Leader Hakeem Jeffries called the breach “blatant” and promised to provide updates. It urged members to use credit and identity theft monitoring resources.
The Senate email recommended that anyone registering on the health insurance exchange freeze their funds to prevent identity theft.
In an emailed statement, New York Representative Joe Morelle said the House leadership had been informed by the U.S. Capitol Police that DC Health Link had suffered “an extremely large data breach of recorded information” that posed a “high risk.” for members, employees and their family members “At this time, the cause, magnitude and scope of the data breach affecting the DC Health Link is yet to be determined by the FBI,” Morelle said.
The hack follows several recent breaches of US agencies. Hackers broke into a US Marshals Service computer system and activated ransomware on Feb. 17 after stealing personally identifiable information about agency workers and targets of investigations.
An FBI computer system was recently hacked at the agency’s New York field office, CNN reported in mid-February. When asked about that break-in, the FBI issued a statement calling it “an isolated incident that has been contained.” It declined further comment, including when it occurred and whether ransomware was involved.
There was no indication that the health vulnerability was ransomware-related.
Boston AP Technology Writer Frank Bajak contributed to this report.