Congressional health data breach ‘could be extraordinary’

The FBI has yet to determine the extent of the hack, but it may have included thousands of members of the House of Representatives, employees and their families.

WASHINGTON. Hackers who hacked into the Washington, D.C. health insurance market have stolen sensitive identities of members of Congress, their employees and family members, and the size and scope of the impact “may be extraordinary,” House leadership says.

DC Health Link, which operates the exchange, said an unspecified number of customers were affected and it has notified them and is working with law enforcement to quantify the damage. He stated that he offers an identity theft service to victims and extends credit monitoring to all customers.

About 11,000 of the more than 100,000 members of the exchange work in the House of Representatives and the Senate or are relatives.

In a letter to the director of the exchange posted on Twitter, Speaker of the House Kevin McCarthy and Minority Leader Hakim Jeffreys said the breach “significantly increases the risk that members, employees and their families will face identity theft, financial crime and physical threats.”

They said the FBI told them it was able to acquire the stolen data on the dark web, where it was put up for sale for an undisclosed amount on Monday on a hacker forum popular with cybercriminals.

The FBI said in a brief statement Wednesday evening that it is aware of the incident and is providing assistance.

In the letter, McCarthy and Jeffreys stated that “information sellers appear to be unaware of the high level of confidentiality of sensitive information in their possession and its relationship to members of Congress,” but this will change when the media reports the breach.

They said the FBI has not yet determined the extent of the violation, but that since 2014 thousands of House members, employees and their families have taken out health insurance through DC Health Link. “The size and scope of the House’s affected customers can be extraordinary.”

It was unclear whether the FBI could ensure that copies of the stolen data did not circulate in the underworld of cybercriminals, and if so, how.

In the offer to sell, a broker on an online crime forum claimed to have records of 170,000 DC Health Link customers and said they were stolen on Monday. On Wednesday, via encrypted chat, the broker revealed that he was acting on behalf of a seller known as “thekilob”.

By Thursday, the offer and samples of the stolen data posted on the forum had been removed. The data included social security numbers, addresses, employer names, phone numbers, email addresses, and addresses of a dozen DC Link members. AP contacted him by phone on Wednesday evening.

“Oh my God,” the man said when he was informed that the information had become public. All 12 listed people work for the same company or are family members.

In an email to all Senate email account holders on Wednesday, the Sergeant-at-Arms recommended that anyone registered with the health insurance exchange freeze their credit to prevent identity theft.

The email, sent out by the House General Administration Office on behalf of McCarthy and Jeffries, called the breach “egregious” and urged members to use resources to monitor loans and identity theft.

In an emailed statement on Wednesday, Rep. Joe Morell of New York said House leadership was briefed by Capitol police that DC Health Link “suffered an extremely large enrollment data breach,” which represents ” great risk” to participants, employees and their families. He said the FBI was still determining “the cause, size and extent of the data breach.”

The hack follows several recent breaches affecting US agencies. Hackers hacked into the U.S. Marshals Service computer system and activated ransomware on February 17 after stealing identities of agency employees and subjects of investigation.

The FBI’s computer system was recently hacked at the bureau’s New York field office, CNN reported in mid-February. When asked about the intrusion, the FBI issued a statement calling it “a separate incident that has been contained.” He declined to comment further, including when it happened and whether ransomware was involved.

There was no indication that the DC Health breach was related to ransomware.

Bayak reported from Boston.

Content Source

Dallas Press News – Latest News:
Dallas Local News || Fort Worth Local News | Texas State News || Crime and Safety News || National news || Business News || Health News

Related Articles

Back to top button