Security Experts:

Connect with us

Hi, what are you looking for?



Congress Members Warned of Significant Health Data Breach

House and Senate members informed that hackers may have gained access to their sensitive personal data in DC Health Link breach.

Members of the House and Senate were informed Wednesday that hackers may have gained access to their sensitive personal data in a breach of a Washington, D.C., health insurance marketplace. Employees of the lawmakers and their families were also affected.

DC Health Link confirmed that data on an unspecified number of customers was affected and said it was notifying them and working with law enforcement. It said it was offering identity theft service to those affected and extending credit monitoring to all customers.

The FBI said it was aware of the incident and was assisting the investigation.

A broker on an online crime forum claimed to have records on 170,000 DC Health Link customers and was offering them for sale for an unspecified amount. The broker claimed they were stolen Monday. Reached by The Associated Press on an encrypted chat site, the broker did no say whether the data had been purchased and said they could not provide additional data to back the claim. They said they were acting on behalf of the seller, who they identified as “thekilob.”

Sample stolen data was posted on the site for a dozen apparent customers. It included Social Security numbers, addresses, names of employers, phone numbers, emails and addresses. The AP reached one of the dozen by dialing a listed number.

“Oh my God,” the man said when informed the information was public. All 12 people listed work for the same company or are family members.

In an email to all Senate email account holders, the sergeant at arms said it was informed that the stolen data included full names of the insured and family members. An email sent out by the office of the Chief Administrative Office of the House on behalf of House Speaker Kevin McCarthy and Minority Leader Hakeem Jeffries called the breach “egregious” and promised to provide updates. It urged members to use credit and identity theft monitoring resources.

The Senate email recommended that anyone registered on the health insurance exchange freeze their credit to prevent identity theft.

In an emailed statement, Rep. Joe Morelle of New York said House leadership was informed by Capitol Police that DC Health Link “suffered an extraordinarily large data breach of enrollee information” that posed a “great risk” to members, employees and their family members. “At this time the cause, size, and scope of the data breach impacting the DC Health Link still needs to be determined by the FBI,” Morelle said.

The hack follows several recent breaches affecting U.S. agencies. Hackers broke into a U.S. Marshals Service computer system and activated ransomware on Feb. 17 after stealing personally identifiable data about agency employees and targets of investigations.

An FBI computer system was recently breached at the bureau’s New York field office, CNN reported in mid-February. Asked about that intrusion, the FBI issued a statement calling it “an isolated incident that has been contained.” It declined further comment, including when it occurred and whether ransomware was involved.

There was no indication the Health breach was ransomware-related.

Related: Patient Information Compromised in Data Breach at San Diego Healthcare Provider

Related: Data Breach at Louisiana Healthcare Provider Impacts 270,000 Patients

Related: Data Breach at PFC USA Impacts Patients of 650 Healthcare Providers

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.