House members, staff personal data compromised in health insurer breach
McCarthy and Jeffries sent out an email, obtained by POLITICO, describing an “egregious security breach within DC Health Link’s insurance marketplace.”
The personal data of House members and staff was compromised due to a recently uncovered breach of health care group DC Health Link, House leadership disclosed Wednesday.
House Speaker Kevin McCarthy and Minority Leader Hakeem Jeffries sent out an email, obtained by POLITICO, describing an “egregious security breach within DC Health Link’s insurance marketplace.” The leaders noted the breach “compromised the personal information of numerous House Members, spouses, dependents and employees in both parties,” but they did not identify affected members.
“Right now, our top priority is protecting the safety and security of anyone in the Capitol Hill community affected by the cyber hack,” the House leaders wrote, noting they had written to DC Health Link for further information on the breach, and that they are being “continuously briefed” by the FBI and the U.S. Capitol Police about the situation.
A spokesperson for DC Health Link confirmed the breach, and said in a statement that “data for some DC Health Link customers has been exposed on a public forum,” and that the organization is working with forensic investigators and law enforcement to investigate the breach. In addition, DC Health Link is currently in the process of notifying impacted customers, and plans to provide credit monitoring services for all customers regardless of whether their information was compromised.
“We are taking action to ensure the security and privacy of our users’ personal information,” the spokesperson said.
The breach will likely raise concerns on Capitol Hill even higher around threats from cyberattacks, an issue that has come to the forefront due to high-profile ransomware attacks in recent years and a ramp-up of Russian cyber threats due to the war in Ukraine.
The House Office of the Chief Administrative Officer sent a separate letter to House offices on Wednesday further detailing the breach. A spokesperson for the CAO said in a statement that “we are deeply concerned about DC Health Link’s data breach and the impact on our Members and staff. We will continue to communicate any updates we receive from law enforcement to impacted Members and staff.”
The House Administration Committee, which has jurisdiction over the internal procedures of the House, is also stepping in to investigate. House Administration Committee Republicans tweeted Wednesday that committee Chair Bryan Steil (R-Wis.) “is aware of the breach and is working with the CAO to ensure the vendor takes necessary steps to protect the (personal identifiable information) of any impacted member, staff, and their families.”
House Administration Committee ranking member Joe Morelle (D-N.Y.), said in a statement that the breach was “extraordinarily large,” and that the FBI is still working to gather information on the cause and scope of the incident.
In a statement, the FBI said it was "aware of this incident and is assisting. As this is an ongoing investigation, we do not have any additional information to provide at this time."