Personal information from the DC Health Link marketplace was found for sale on the dark web
Sensitive personal information from hundreds of US Congress members and their staffers was stolen following a security breach at a health insurance marketplace used by government employees, the FBI told congressional leaders on Wednesday.
House Speaker Kevin McCarthy and House Minority Leader Hakeem Jeffries also learned from the agency that the data is now being offered for sale on the dark web.
Leading lawmakers were informed of a “significant data breach” at the DC Health Link marketplace potentially affecting all members of the House and their families in a letter from the Chief Administrative Office of the House on Wednesday. CAO Catherine Szpindor promised a full list of the individuals affected but advised members to secure their finances “out of an abundance of caution” as their data may have been compromised.
While reassuring marketplace users that “it does not appear that Members or the House of Representatives were the specific target of the attack,” Szpindor nevertheless urged all DC Health Link members to freeze their credit, even offering a link to “step-by-step instructions” on how to do so.
Private data from 170,000 DC Health Link users allegedly stolen from the insurance clearinghouse on Monday, including names of spouses, dependent children, their social security numbers, home addresses, phone numbers and emails, and employment data, was found to be listed for sale on a dark web forum on Wednesday, according to the Associated Press. The outlet communicated with an individual claiming to represent a seller known as “thekilob” and allegedly tested one of the phone numbers provided as a “sample,” finding it was valid.
DC Health Link oversees health insurance plans for both houses of Congress and their staffers. However, senators and their staffers had less of their data stolen in the breach, according to the AP, with their exposure limited to the names of family members.
The marketplace has “initiated a comprehensive investigation” in cooperation with “forensic investigators and law enforcement,” DC Health Link told the Washington Post in an emailed statement, reassuring customers it was “taking action to ensure the security and privacy of our users’ personal information.” The company added that it was personally notifying and offering credit monitoring services to affected members.
Several government agencies have been hacked in the last month. Hackers infiltrated the US Marshals Service system and stole sensitive personal data about the agency’s employees and its targets before activating ransomware shortly after the FBI itself experienced a security breach at its New York field office.