Health data and other personal information of members of Congress and staff were stolen during a breach of servers run by DC Health Care Link and are now up for sale on the dark web.
The FBI is investigating the intrusion, which came to light Wednesday after Catherine Szpindor, the House of Representatives’ chief administrative officer, sent a letter to House members telling them of the incident. Szpindor wrote that she was alerted to the hack by the FBI and US Capitol Police.
DC Health Link is the online marketplace for the Affordable Care Act that administers the healthcare plans for members of Congress as well as their family and staff.
Szpindor called the incident “a significant data breach” that exposed the personal identifiable information (PII) of thousands of DC Health Link employees and warned the Representatives that their data may have been compromised.
“Currently, I do not know the size and scope of the breach,” she wrote, adding the FBI informed her that account information and PII of “hundreds” of House and staff members were stolen. Once Szpindor has a list of the data taken, she will directly contact those people affected.
In a statement to The Register, a DC Health Link spokesperson confirmed the breach and said the company was conducting its own inquiry while working with law enforcement and forensic investigators.
House leaders look for answers
In a letter to Mila Kofman, the executive director of the DC Health Benefit Exchange Authority, House Speaker Kevin McCarthy (R-CA) and House Democratic Leader Hakeem Jeffries (D-NY) asked for more information about the attack, including when the affected House members and their staff and family would be notified and what services – such as credit monitoring – would be offered.
They also want to know specifically what data was stolen, what steps were being taken to protect against future breaches, and what is being done to mitigate the damage.
“Thousands of House Members and employees from across the United States have enrolled in health insurance through DC Health Link for themselves and their families since 2014,” McCarthy and Jeffries wrote. “The size and scope of impacted House customers could be extraordinary.”
Szpindor in her letter recommended House members consider freezing their credit at Equifax, Experian, and TransUnion until the breadth of the breach is known, particularly which representatives and staff members had their data compromised.
According to CNBC, the Senate may also have been impacted by the breach, with an email sent to offices in that side of Congress saying the Senate at Arms was told of the breach from law enforcement and the “data included the full names, date of enrollment, relationship (self, spouse, child), and email address, but no other Personally Identifiable Information (PII).”
The FBI in a terse statement to the media said it was “aware of this incident and is assisting. This is an ongoing investigation.” Capitol Police said they were working with the FBI.
Data for sale
At least some of the PII taken during the breach found its way onto a dark web marketplace. In their letter, McCarthy and Jeffries noted the FBI was able to buy the PII and other enrollee information that was breached. The information included names of spouses and dependent children, Social Security numbers, and home addresses.
CNBC said a post on a dark web site put up for sale the data of 170,000 Health Link members and posted data from 11 users as a sample.
“This breach significantly increases the risk that Members, staff, and their families will experience identity theft, financial crimes, and physical threats — already an ongoing concern,” the two House leaders wrote.
They added that “fortunately, the individuals selling the information appear unaware of the high-level sensitivity of the confidential information in their possession, and its relation to Members of Congress. This will certainly change as media reports more widely publicize the breach.”
That knowledge may not make much difference. Cybercriminals don’t care whose records they steal as long as they’re sensitive enough to get people to pay for them, according to Joseph Carson, chief security scientist and advisory CISO at security software maker Delinea.
This likely wasn’t a targeted attack on a specific group of people. Otherwise the cybercriminals wouldn’t be as public about it, nor would the records be for sale, Carson told The Register.
“I don’t believe this would make any difference other than increasing the focus and attention on the attackers,” he said. “In the end, the attackers are looking to make money from this data theft and they don’t really care who is the victim that it impacts.”
Still, “the attackers will likely want to lay low for a period of time due to the high visibility of the victims and attention they are now getting along with the FBI getting involved.”
Chris Gonsalves, chief research officer at Channelnomics, said the crooks likely knew a lot about the target based on the reconnaissance that typically precedes such an attack. They just didn’t care, he told The Register.
“The stuff is for sale on the dark web already, has been sold at least once that we know of, and will remain so until it’s no longer profitable,” Gonsalves said, cautioning that while the FBI is good at investigating such cases, it’s not the only one on their docket and “their success rate is roughly a coin flip. They may put a little more effort into this one depending on how loud things get on the Hill, but this isn’t some unprecedented case we have before us.
“The good news here is that people with loud voices and a big mic got hit this time instead of just us poor saps, so there’s a good chance this will turn a spotlight on the problem, which is never a bad thing,” he said. “Let’s see how long that lasts.”
Organizations in the healthcare field have come under increasing attacks in recent years, which is unsurprising given the vast amounts of PII and health data – from medical records to Social Security numbers – they hold on doctors, staff, and patients.
Cybersecurity firm Check Point in a report said the number of cyberattacks around the world jumped 38 percent year-over-year in 2022 and that healthcare, education and research, and government were the top three targeted sectors. ®