DC HealthLink — the health insurance marketplace in Washington, D.C., used by many White House staffers and their families — reported a data breach on Wednesday, with the FBI reporting that some of the leaked information was made available for purchase. above.
In an internal memo sent to US House staff, House Chief Administrative Officer Catherine L. Szpindor notified recipients of a “significant data breach,” which potentially exposed the personally identifiable information (PII) of thousands of employees, and warned them that their data could be. has been compromised.
“We can confirm reports that some DC Health Link customer data has been released in a public forum. We have launched an extensive investigation and are working with forensic investigators and law enforcement agencies,” DC Health Link said in a statement to CBS News.
Tim Graham/Getty Images
Although the internal memo states that the size and scope of the breach is unknown, the FBI has confirmed that account information and PII of House members and staff were stolen, but it does not appear that they were specifically targeted in the cyber attack. The FBI also said that while they believed the individuals selling the stolen information did not appear to be aware of its “high-level sensitivity” at the time, continuing to publicize the event would “certainly change.”
“We are in the process of notifying affected customers and will provide identity and credit monitoring services. Additionally, and out of an abundance of caution, we will also provide credit monitoring services for all of our customers,” the statement from DC Health continued.
Internal memos advise members to freeze their credit and provide extra precautions to avoid falling victim to fraud.
“The FBI is aware of and assisting with this incident. As this is an ongoing investigation, we do not have any additional information to provide at this time,” the FBI said in a statement to CBS News.
J. Scott Applewhite/AP
After the breach, House Speaker Kevin McCarthy and House Minority Leader Hakeem Jeffries sent a letter to D.C. Health Benefits Exchange Authority Executive Director Mila Coffman, in which they said they had notified the FBI that user data had been stolen. Available for purchase on the dark web — including “the names of spouses, dependent children, their Social Security numbers and home addresses.”
“This breach significantly increases the risk that members, staff and their families will experience identity theft, financial crime and physical threats — already an ongoing concern,” the letter continued, and then asked Kaufman when HealthLink would be contacted. A remedial plan is moving forward, along with what services will be provided to affected individuals, and those whose data has been compromised.
A post on Monday on a dark web forum known for data marketplaces showed advertisements for the sale of hacked material. The post was updated Tuesday to say it was “sold.”
DC HealthLink said the investigation is still ongoing, and they plan to provide more information.