Sensitive information has been posted online from last week’s “significant data breach” of the health insurance marketplace for Washington, D.C., that affected members of Congress, according to Senate staffers briefed on the hack.
In an email to Senate offices, staffers from the Senate Intelligence Committee said they “learned that breached information is already up on one of the big hacker breach sites.”
The information is “easily accessible to folks who know how to look for it,” and “includes name, address, [Social Security number], [date of birth], desk phone number, what plan you signed up for, and how much your monthly contribution is.”
“This is scary,” the email said.
DC Health Link is the Affordable Care Act online marketplace that administers health care plans for members of Congress and certain Capitol Hill staff, as well as others in the Washington area.
On March 6, before the breach was public, a user on a dark web forum popular with criminal hackers claimed to have access to data — including the names, Social Security numbers, contact information and family members, as well as other information — of a handful of DC Health Link users, and claimed to offer the full database for sale. NBC News has not verified the authenticity of that data.
Earlier this week, another user on the site made the files public to anyone with access to the site. That database, viewed by NBC News, includes the purported information of more than 65,000 people, including more than 1,000 with job info indicating they work for the House or Senate. One Senate office, which asked to not be named to protect its’ staffers privacy, confirmed that the personal information of several of its employees in the database was accurate.
On Tuesday, DC Health link announced that it could split many of its users into two groups — those whose information was exposed publicly, and those whose information was stored in the same manner but whose data does not appear to be compromised. It wasn’t clear why there was a distinction, and DC Health Link didn’t respond to a request for further information.
According to a notice that DC Health Link sent to affected users on Wednesday, viewed by NBC News, the entity earned of the breach after being notified on March 6 that users’ data “had been exposed on a public forum.”
“We immediately initiated a comprehensive investigation and are working with forensic investigators and law enforcement,” the letter said, warning that the personally identifiable information exposed includes “Your name and name of your dependents enrolled on DC Health Link, Social Security Number, Date of Birth, Gender, Address, Email, and Phone Number. If your DC Health Link coverage is through an employer, then the employer name and information about the employer and work email.”
It said it was offering customers whose data was compromised “three years of free identity and credit monitoring for all three credit bureaus” that they can access immediately.
The breach is being investigated by the U.S. Capitol Police and the FBI.
In a letter last week to the head of the DC Health Benefit Exchange Authority, which operates DC Health Link, House Speaker Kevin McCarthy, R-Calif., and Minority Leader Hakeem Jeffries, D-N.Y., warned the “size and scope of impacted House customers could be extraordinary” due to the thousands of congressional members and employees who have used DC Health Link since 2014.