Hacker posts more D.C. Health Link data online, exposing lawmakers’ personal information

The recent breach of D.C. Health Link, a health care insurance exchange that serves the nation’s lawmakers and Washington residents, exposed the sensitive information of 21 current members of Congress, two senior congressional aides familiar with the matter told CyberScoop on Monday.

The initial breach was first reported last week after a House official warned lawmakers that they could have been exposed. But over the weekend, the scope of the breach and the number of lawmakers affected became clearer after a user of a hacking forum posted online what they claimed was the full set of data stolen from D.C. Health Link.

That file contained more than 67,500 unique entries. CyberScoop confirmed the authenticity of the data belonging to one individual in the data set, which includes names, email addresses, dates of birth, home addresses, Social Security numbers and details about insurance policies.

By late Monday, the user that uploaded the data threatened that more was to come. “More data exists, but will not be leaked for the time being,” a user named Denfur posted. “The use of it is something important. More than one database were (sic) exposed.”

The D.C. Health Benefit Exchange, the city agency that operates the insurance market, said Friday that 56,415 of its customers had their data swept up in the breach. The exchange also said it hired the threat intelligence firm Mandiant to conduct a forensic investigation of the breach.

A breach of this nature that includes the health care information alongside personal data can put victims at risk of additional scams and other types of cyberattacks. The fact that it includes sensitive information about national lawmakers along with their families and staff is even more concerning.

The data set posted Sunday includes more than 1,800 entries pertaining to people associated with Congress, whether members of the legislative body, their families or staff, a CyberScoop analysis of the data shows. The data also includes hundreds of names spread across at least 20 foreign embassies and thousands of other employers. As CyberScoop previously reported, the data set also includes former national security and defense officials and affects a wide swath of the capital city from employees of coffee shops, to dentist offices to civil society groups.

An examination by CyberScoop of the federal legislators included in the data posted on Sunday roughly corresponded with the tally provided by congressional aides, but given the large amount of data at play and threats by Denfur to release additional hacked material, the number of individuals ultimately affected may change.

Denfur claimed on Monday that the “vector for the attack was an open, exposed database,” and said that the database “was breached through simply connecting to it, no verification was required” and that it was “likely exposed for over a year and a half before the breach occurred.”

According to a source familiar with the response to the breach, the material posted online so far is not the full set of data that was exposed. The source, who spoke on condition of anonymity, said the initial incident response is still ongoing and that, contrary to the leaker’s description of D.C. Health Link being breached “through simply connecting to it” without verification, it took some familiarity with the database software to access the data.

With just under two dozen members included in the data set, the number of federal legislators exposed is smaller than the hundreds initially thought to be affected. But with hundreds of congressional staffers also exposed, the breach remains a top security concern on the Hill. On Tuesday the House Administration Committee will hold a members-only bipartisan briefing providing updates from US Capitol Police, the Chief Administrative Office and the House Sergeant at Arms, according to one of the aides.