Sensitive information has been posted online from last week’s “significant data breach” of the health insurance marketplace for Washington, D.C., that affected members of Congress, according to Senate staffers briefed on the hack.
In an email to Senate offices, staffers from the Intelligence Committee said they “learned that breached information is already up on one of the big hacker breach sites.”
The information is “easily accessible to folks who know how to look for it,” and it “includes name, address, [Social Security number], [date of birth], desk phone number, what plan you signed up for, and how much your monthly contribution is.”
“This is scary,” the email said.
DC Health Link is the Affordable Care Act online marketplace that administers health care plans for members of Congress and certain Capitol Hill staffers, as well as others in the Washington area.
On March 6, before the breach was public, a user on a dark web forum popular with criminal hackers claimed to have access to data — including the names, Social Security numbers, contact information and family members, as well as other information — of a handful of DC Health Link users and claimed to offer the full database for sale. NBC News hasn’t verified the authenticity of the data.
Another user on the site made the files public to anyone with access to the site this week. That database, viewed by NBC News, includes the purported information of more than 65,000 people, including more than 1,000 with job information indicating they work for the House or the Senate. One Senate office, which asked to not be named to protect its’ staffers privacy, confirmed that the personal information of several of its employees in the database was accurate.
DC Health link announced Tuesday that it could split many of its users into two groups — those whose information was exposed publicly and those whose information was stored in the same manner but whose data doesn’t appear to have been compromised. It wasn’t clear why there was a distinction, and DC Health Link didn’t respond to a request for further information.
DC Health Link said in a notice it sent to affected users Wednesday, viewed by NBC News, that it learned of the breach after it was notified March 6 that users’ data “had been exposed on a public forum.”
“We immediately initiated a comprehensive investigation and are working with forensic investigators and law enforcement,” the letter said, warning that the personally identifiable information exposed includes “Your name and name of your dependents enrolled on DC Health Link, Social Security Number, Date of Birth, Gender, Address, Email, and Phone Number. If your DC Health Link coverage is through an employer, then the employer name and information about the employer and work email.”
It said it was offering customers whose data was compromised “three years of free identity and credit monitoring for all three credit bureaus” that they can access immediately.
U.S. Capitol Police and the FBI are investigating.
In a letter last week to the head of the DC Health Benefit Exchange Authority, which operates DC Health Link, House Speaker Kevin McCarthy, R-Calif., and Minority Leader Hakeem Jeffries, D-N.Y., warned that the “size and scope of impacted House customers could be extraordinary” because thousands of members of Congress and congressional employees have used DC Health Link since 2014.