Hundreds of US House members and staff had their personally identifiable information stolen in a breach of a DC health care insurance service, the House chief administrative officer told lawmakers Wednesday in a letter obtained by CNN.
The FBI is investigating the “significant data breach,” which occurred Tuesday and potentially involved thousands of enrollees in the DC Health Link marketplace, House Chief Administrative Officer Catherine Szpindor told lawmakers in the letter.
“It is important to note that at this time, it does not appear that Members or the House of Representatives were the specific target of the attack,” Szpindor wrote.
DC Health Link confirmed in a statement that “data for some DC Health Link customers has been exposed on a public forum.”
“We have initiated a comprehensive investigation and are working with forensic investigators and law enforcement. Concurrently, we are taking action to ensure the security and privacy of our users’ personal information,” the statement said, adding that DC Health Link will provide identity and credit monitoring services for impacted customers as well as credit monitoring services for all of its customers “out of an abundance of caution.”
The FBI said in a statement Wednesday that it is “aware of this incident and is assisting. As this is an ongoing investigation, we do not have any additional information to provide at this time.”
House Speaker Kevin McCarthy told CNN that the breach, which was first reported by Punchbowl News, is a “real concern.”
“Leader Hakeem Jeffries and I sent a letter to the DC Health about the concern we have here,” the California Republican said, noting that he does not know how many members may have been affected.
On a popular cybercrime forum this week, someone claimed to have sold the data belonging to DC Health Link. The advertisement for the stolen data, which CNN reviewed, claimed the leak affected 170,000 people and included Social Security numbers.
CNN was unable to independently verify those claims. The user advertising the data did not immediately respond Wednesday night when CNN asked in an online chat how much they sold the data for.
The advertisement was removed from the cybercrime forum later Wednesday night. It was not immediately clear why.
The user has been on the cybercrime forum for months and earned a reputation for selling compromised databases, Michael DeBolt, chief intelligence officer at security firm Intel471, told CNN.
“Like other financially motivated actors, (this actor) is opportunistic rather than seeking to target specific regions or sectors,” DeBolt said.
Contractors that store data belonging to US lawmakers could face greater scrutiny following this week’s breach.
The Committee on House Administration Republicans tweeted that Chairman Bryan Steil “is aware of the breach” and is working with Szpindor, the House chief administrative officer, “to ensure the vendor takes necessary steps to protect the (personally identifiable information) of any impacted member, staff, and their families.”
The top Democrat on the panel, Rep. Joe Morelle of New York, told CNN the data breach is “egregious” and that the FBI discovered it because the information ended up on the “dark web.”
He said in addition to investigating what happened, Congress needs to figure out how to allocate more resources so those who contract with the government can better protect this type of information.
“We are deeply concerned about DC Health Link’s data breach and the impact on our Members and staff. We will continue to communicate any updates we receive from law enforcement to impacted Members and staff,” a CAO spokesperson said in a statement.
This story has been updated with additional information.