DC Health Link — the health insurance marketplace for Washington, D.C., that is used by many White House staffers and their families — reported a data breach on Wednesday, with the FBI reporting that some of the information in the leak had been made available for purchase on the dark web.
In an internal memo sent to U.S. House staffers, House Chief Administrative Officer Catherine L. Szpindor informed recipients of the “significant data breach,” which potentially exposed the personal identifiable information (PII) of thousands of employees, and warned them that their data may have been compromised.
“We can confirm reports that data for some DC Health Link customers has been exposed on a public forum. We have initiated a comprehensive investigation and are working with forensic investigators and law enforcement,” said DC Health Link in a statement to CBS News.
While the internal memo states that the size and scope of the breach is unknown, the FBI confirmed that account information and PII belonging to House members and staff was stolen, but it does not appear that they were specifically targeted in the cyberattack. The FBI also said that while they believe the individuals selling the stolen information did not seem to be aware of its “high-level sensitivity” at the time, continued publicizing of the event would “certainly change” that.
“We are in the process of notifying impacted customers and will provide identity and credit monitoring services. In addition, and out of an abundance of caution, we will also provide credit monitoring services for all of our customers,” continued the statement from DC Health Link.
The internal memo closes by suggesting that members freeze their credit, and provides additional precautionary measures to avoid being victims of fraud.
“The FBI is aware of this incident and is assisting. As this is an ongoing investigation, we do not have any additional information to provide at this time,” said the FBI in a statement to CBS News.
Following the breach, a letter was sent by House Speaker Kevin McCarthy and House Minority Leader Hakeem Jeffries to Mila Kofman, the executive director of the DC Health Benefit Exchange Authority, in which they said they were informed by the FBI that the stolen user data was available for purchase on the dark web — including “names of spouses, dependent children, their social security numbers, and home addresses.”
“This breach significantly increases the risk that Members, staff, and their families will experience identity theft, financial crimes, and physical threats — already an ongoing concern,” the letter continued, and then went on to ask Kofman when HealthLink will be reaching out to affected persons, and what services will be offered to those whose data has been compromised, along with a reparative plan moving forward.
A post made on Monday to a dark web forum known for its data marketplace appears to advertise the hacked material for sale. The post was updated on Tuesday to say it had been “sold.”
DC Health Link said that the investigation is still ongoing, and that they plan to provide more information as it comes.