Lawmakers are calling for clarity Thursday after the personal information of members of Congress, their families and staff was compromised in a large-scale data breach.
House Chief Administrative Officer Catherine L. Szpindor on Wednesday informed Hill enrollees of DC Health Link, the district’s Affordable Care Health marketplace that provides health insurance to members and staff, that a breach potentially exposed the information of thousands of planholders. Members did not appear to be specifically targeted, Szpindor said in a memo to those with DC Health Link coverage.
It remains unclear exactly how many may be affected or what information may have been exposed.
That data was allegedly being sold on the “dark web,” according to a subsequent letter from Speaker Kevin McCarthy, R-Calif., and Minority Leader Hakeem Jeffries, D-N.Y., sent to Mila Kofman, executive director of the DC Health Benefit Exchange Authority, which administers the marketplace.
“Our agents are assisting the FBI with the ongoing investigation,” a spokesperson for the Capitol Police said in a statement Thursday morning. “There is more work to do before law enforcement can provide more details. The House CAO will be providing helpful information to those who may be impacted.”
House Administration ranking member Joseph D. Morelle, D-N.Y., called the breach “a great risk to our House Members, employees, and their family members,” in a statement Wednesday, but added that he was waiting for further information from the FBI as to the scope of the breach.
“I understand many individuals are concerned about their safety and wellbeing of not only themselves, but their personal information. Detailed guidance and information will be delivered to those directly impacted by this breach,” Morelle continued. “I will work alongside Leader Jeffries and my colleagues to ensure a transparent process and will work relentlessly to get answers to those directly impacted.”
The FBI Washington Field Office did not respond to a request for comment Thursday.
“We are deeply concerned about DC Health Link’s data breach and the impact on our Members and staff,” a CAO spokesperson said in an emailed statement Thursday morning. “We will continue to communicate any updates we receive from law enforcement to impacted Members and staff.”
DC Health Link did not provide an update Thursday and instead reissued its earlier statement.
“We have initiated a comprehensive investigation and are working with forensic investigators and law enforcement,” the marketplace said in the statement. “Concurrently, we are taking action to ensure the security and privacy of our users’ personal information.”
The marketplace said it is in the process of notifying impacted customers and said it would provide identity and credit monitoring services for all of its customers “out of an abundance of caution.”
“The investigation is still ongoing and we will provide more information as we have more to share,” the statement continued.
Thousands of House members and their staff have enrolled in health insurance through DC Health Link since 2014, when a provision of the Affordable Care Act took effect that requires members and their staff who want employer-sponsored coverage to receive insurance through the marketplaces created by the law.
The degree to which members of the Senate, their families and staff are impacted remains unclear. The Senate Sergeant at Arms could not immediately be reached for comment Thursday. The Associated Press reported that the Sergeant at Arms had emailed all Senate email account holders informing them that the stolen data included full names of the insured and family members.
House Administration Committee Republicans on Thursday tweeted that Chairman Bryan Steil, R-Wis., was “aware of the breach and is working with the CAO to ensure the vendor takes necessary steps to protect the PII of any impacted member, staff, and their families.”