More than 56,000 customers were impacted by the DC Health Link data breach, the DC Health Benefit Exchange Authority revealed Friday.
The data fields compromised were name, Social Security number, birthdate, gender, health plan information, employer information and enrollee information – address, email, phone number, race, ethnicity and citizenship status.
Some 11,000 of the exchange’s more than 100,000 participants work in the House and Senate — in the nation's capital and district offices across the nation — or are relatives.
In a letter to the exchange's director posted on Twitter, House Speaker Kevin McCarthy, R-Calif., and Minority Leader Hakeem Jeffries, D-N.Y., said the breach “significantly increase the risk that Members, staff and their families will experience identity theft, financial crimes, and physical threats.” The stolen data includes Social Security numbers, phones, addresses, emails and employer names.
The FBI said in a brief statement Wednesday evening it was aware of the incident and was assisting.
In the letter, McCarthy and Jeffries said the FBI had not yet determined the extent of the breach but that thousands of House members, employees and their families have enrolled in health insurance through DC Health Link since 2014. “The size and scope of impacted House customers could be extraordinary.”
Local
Washington, D.C., Maryland and Virginia local news, events and information
They said the FBI told them it was able to purchase the stolen data on the dark web, where it was offered for sale for an unspecified amount Monday on a hacker forum popular with cybercriminals.
It was not clear, though, whether and how the FBI could guarantee that copies of the stolen data were not circulating in the cybercrime underworld. Indeed, on Thursday, a new user on the forum claimed a hacker known as “thekilob” had stolen more than 55,000 records and exclaimed “Glory to Russia” in Cyrillic. Some of the most active cybercriminals are Russian speakers and operate with little interference from the Kremlin.
The user posted 200 records from the hack online and The Associated Press confirmed the sample's authenticity with two of the victims listed.
The DC Health Benefit Exchange Authority is working with law enforcement and reached out to impacted enrollees. It will provide three years of free identity and credit monitoring to all customers who want it.