Breach, Incident Response

DC Health Link confirms leak of congressional members’ health data

congress health data breach

DC Health Link confirmed threat actors leaked personal and health information of its health plan members, including House and Senate members, according to an official update.

On March 10, the DC Health Benefit Exchange Authority announced 56,415 plan members were impacted. Following a letter from House of Representatives Chief Administrative Officer Catherine Szpindor to House members, the Senate received a similar notice.

Briefings confirmed the intrusion was first discovered on March 6, 2023. The impacted system is not tied to the Senate or House networks.

The investigation is ongoing, according to authorities. The exact number of impacted congressional members has not been reported. The stolen data could include Social Security numbers, contact details and dates of birth.

Officials have identified two distinct effected groups. The first is individuals whose information has been confirmed as stolen and publicly leaked. The second group is identified as those whose data was stored in the affected platform, but no current evidence of compromise is apparent. As previously reported, several hacking groups posted “data proofs” of the stolen data.

Individuals tied to the leaked data were notified by DC Health Link last week and were provided with three years of identity and credit monitoring for the patient and their enrolled dependents, spouses, and children.

DC Health Link has notified the second group of the potential compromise, as required by The Health Insurance Portability and Accountability Act. However, officials said they can’t confirm or deny with certainty whether their data was accessed or exfiltrated. These individuals are being provided the same amount of credit monitoring services as a precautionary measure.

Further, DC Health Link has identified the cause of the hack and “eliminated” the issue.

The notice does not provide details into the source of the incident. The insurer is continuing to work with a third-party forensics team on a comprehensive review to address methods to strengthen their cyber posture.

The FBI is investigating the incident and does not believe congressional members were the target of the attack.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.