House, Senate members affected in DC Health Link breach total 21
House Administration Committee hosts an all-members virtual briefing about the situation
The DC Health Link data breach impacted 21 members across the House and Senate who get their insurance through the program, a senior congressional aide, who spoke on the condition of anonymity, confirmed Tuesday.
Information about the breach continued to emerge Tuesday as members of the House Administration Committee hosted an all-members virtual briefing about the situation. The number of staff members impacted, however, remains unclear.
In all, 56,415 customers were affected, the DC Health Benefit Exchange Authority, which oversees the exchange, said Friday.
The meeting Tuesday was open only to members and included updates from the House chief administrative officer, the Capitol Police and the House sergeant at arms, according to the aide.
"The investigation is ongoing and it may take weeks to fully understand the impact,” House Administration Chair Bryan Steil, R-Wis., said in a statement after the briefing. “The Chief Administrative Office, U.S. Capitol Police, and House Sergeant at Arms are taking action to assist members and staff who have been impacted. … Moving forward, the Committee on House Administration will take action to hold bad actors accountable and avoid this occurring again in the future."
The briefing focused largely on what steps members could take to protect themselves, including freezing their credit and utilizing credit monitoring offered by DC Health Link to all those impacted, according to two aides with knowledge of the meeting.
“We have conveyed all the information we know at this time to those affected and to our colleagues during the bipartisan briefing held this afternoon,” House Administration ranking member Joseph D. Morelle, D-N.Y., said in a statement after the meeting. “As the investigation continues and we learn more details about the breach, we will ensure those details are communicated to those directly impacted.”
The DC Health Benefit Exchange Authority said in its Friday statement that it became aware of the breach of its systems — which are separate from House or Senate networks — on March 6 and began working with law enforcement and a third-party forensics firm, Virginia-based Mandiant.
Members and staff were notified of the breach by the House Office of the Chief Administrative Officer on March 8. On the same day, Speaker Kevin McCarthy, R-Calif., and Minority Leader Hakeem Jeffries, D-N.Y., issued a letter to Mila Kofman, executive director of the DC Health Benefit Exchange Authority, that said the information was allegedly being sold on the dark web.
The Capitol Police said they were working with the FBI to investigate the breach.
According to McCarthy and Jeffries, thousands of House members and their staffers have enrolled in health insurance through DC Health Link since 2014, when a provision of the Affordable Care Act took effect that requires members and their staff who want employer-sponsored coverage to receive insurance through the marketplaces that law created.
The names, Social Security numbers, birthdates, addresses, email addresses and phone numbers of enrollees were accessed in the breach, according to the DC Health Benefit Exchange Authority.
CyberScoop, a media outlet dedicated to coverage of cybersecurity, reported Monday that a user on a hacking forum over the weekend posted what they claimed was the full set of data stolen in the breach.