House

Congressional health program suffers ‘significant data breach’ affecting ‘hundreds’ of lawmakers, staff

Clouds roll over the U.S. Capitol dome on Capitol Hill, in this June 12, 2019 photo.

DC Health Link, a program that administers health care plans for members of Congress, suffered a “significant data breach” that has affected “hundreds” of members and staff on Capitol Hill.

In the breach, which occurred on Tuesday, account data and personal identifiable information (PII) pertaining to hundreds of House lawmakers and staff were stolen, according to a Wednesday letter from House chief administrative officer (CAO) Catherine L. Szpindor obtained by The Hill. The letter was sent to House members and employees eligible for health insurance through the program.

Szpindor, who was informed of the breach by the U.S. Capitol Police and DC Health Link, said she is unaware of the “size and scope of the breach,” but noted that it “potentially” exposed the PII of thousands of enrollees. She added that “it does not appear” lawmakers or the House “were the specific target of the attack.”

In a separate notice, the Senate Sergeant at Arms informed Senate email account holders that the DC Health Link breach “included the full names, date of enrollment, relationship (self, spouse, child), and email addresses,” but no other PII.

DC Health Link is the health insurance exchange for the District of Columbia, where residents can apply for and enroll in ObamaCare health plans. Congressional offices are required to use the DC exchange to provide insurance for members and staff.

A spokesperson for DC Health Link confirmed the breach in a statement to The Hill, saying it is cooperating with law enforcement and that a “comprehensive investigation” is ongoing.

“Concurrently, we are taking action to ensure the security and privacy of our users’ personal information,” the statement read. “We are in the process of notifying impacted customers and will provide identity and credit monitoring services. In addition, and out of an abundance of caution, we will also provide credit monitoring services for all of our customers.”

The FBI in a statement said it is “aware of this incident and is assisting” but declined to provide more information, citing “an ongoing investigation.”

U.S. Capitol Police said its “Our agents are assisting the FBI with the ongoing investigation,” adding “There is more work to do before law enforcement can provide more information.”

“The House CAO will be providing helpful information to those who may be impacted,” the department continued.

Speaker Kevin McCarthy (R-Calif.) and House Minority Leader Hakeem Jeffries (D-N.Y.) called the incident “an egregious security breach” in a letter.

The pair said they have reached out to DC Health Link “to secure more information” so they can “best collaborate with CAO to address your needs in the coming days, weeks and months.”

“We are being consistently briefed by the Federal Bureau of Investigation and the United States Capitol Police as it relates to this breach’s impact on Member and family security, and we remain grateful to our law enforcement partners for their ongoing commitment to our safety,” they added.

The House Administration Committee GOP wrote on Twitter that Rep. Bryan Steil (R-Wis.), the chairman of the group, “is aware of the breach and is working with the CAO to ensure the vendor takes necessary steps to protect the PII of any impacted member, staff, and their families.”

Szpindor said lawmakers and staff “may wish” to freeze their credit cards out of caution following the breach. She and the Senate Sergeant at Arms also included a number of precautionary measures lawmakers and staff can take to avoid being a victim of financial fraud, including two-factor authentication on banking and utility accounts and apps.

— Updated 10:50 p.m.