Getty Images/iStockphoto

DC Health Link Healthcare Data Breach Exposes PHI of Congress Members

The FBI and US Capitol Police are investigating a recent healthcare data breach at DC Health Link, where House members' and staff's personal health information (PHI) was compromised.

An unidentified threat actor has potentially exposed the personal health information (PHI) of hundreds of House of Representative members and staff in a recent healthcare data breach of health insurance marketplace DC Health Link, House leadership revealed.

Catherine Szpindor, the chief administrative officer of the US House of Representatives, stated that the size and scope of the attack in the recent DC Health Link data breach was unknown but had affected employees and families of lawmakers at the time of the notification sent on Wednesday.

However, it was mentioned that the attack did not specifically target members of the House of Representatives. In response to the data breach, Szpindor requested more information from DC Health Link regarding the data stolen, affected parties, and steps to protect House victims, including credit monitoring protections.

House Speaker Kevin McCarthy and Minority Leader Hakeem Jeffries issued a separate notification, in which they noted that the FBI had informed them of the purchase of personal identifiable information (PII), along with other enrollee information, on the dark web. Purchased PII included the names of spouses, dependent children, their social security numbers, and home addresses.

The House Speaker and Minority Leader warned that the recent data breach posed a significant threat of identity theft, financial crimes, and physical threats to members, staff, and their families, which were already a concern. They also cautioned that the sensitivity of the information sold on the dark web may become more widely known through media reports.

"We have initiated a comprehensive investigation and are working with forensic investigators and law enforcement," McCarthy said. "Concurrently, we are taking action to ensure the security and privacy of our users' personal information."

Next Steps

Dig Deeper on Cybersecurity strategies