House leaders say scope of health care hack unknown, but ‘could be extraordinary’

Top leaders in the House said the scope of the data breach at DC Health Link, a program that administers health care plans for members of Congress and their staff, remains unknown, but the pair warned that the size of the impact “could be extraordinary.”

The update came in a letter Speaker Kevin McCarthy (R-Calif.) and House Minority Leader Hakeem Jeffries (D-N.Y.) wrote on Wednesday to Mila Kofman, the executive director of DC Health Benefit Exchange Authority, requesting more information regarding the hack.

“At this moment, the cause, size and scope of the data breach affecting DC Health Link could not be determined by the FBI,” McCarthy and Jeffries wrote. “Thousands of House Members and employees from across the United States have enrolled in health insurance through DC Health Link for themselves and their families since 2014.”

“The size and scope of impacted House customers could be extraordinary,” they added.

DC Health Link, the health insurance exchange for Washington, D.C., suffered a data breach on Tuesday that, according to House chief administrative officer (CAO) Catherine L. Szpindor, stole account data and personal identifiable information (PII) belonging to hundreds of House lawmakers and staff. Szpindor said the hack “potentially” exposed the PII of thousands of enrolled.

Additionally, the Senate Sergeant at Arms told Senate email account holders that the breach “included the full names, date of enrollment, relationship (self, spouse, child), and email addresses,” but no other PII.

The breach was first revealed on Wednesday. DC Health Link allows residents to apply for and enroll in ObamaCare health plans. Congressional offices are requires to utilize the system to provide insurance for members and staff.

An investigation is ongoing, according to DC Health Link, the FBI and Capitol Police.

In their letter on Wednesday, McCarthy and Jeffries said the FBI was able to purchase the stolen PII on the “dark web.” They added that the hack “significantly increases the risk that Members, staff, and their families will experience identity theft, financial crimes, and physical threats — already an ongoing concern.”

“Fortunately, the individuals selling the information appear unaware of the high-level sensitivity of the confidential information in their possession, and its relation to Members of Congress,” they continued. “This will certainly change as media reports more widely publicize the breach.”

McCarthy and Jeffries asked that Kofman provide more details regarding the breach, including when the company will formally notify individuals who were impacted, what services — including credit monitoring services — those people will receive in response to the incident, what enrollee information was stolen and what steps have been taken to protect against a future breach and mitigate the effect of Tuesday’s hack, among other inquiries.

Asked for an update on Thursday, Jeffries told reporters at a press conference in the Capitol that he had not yet been briefed on the situation, but said it is “highly problematic” that the breach could have an “adverse impact” on lawmakers, staffers, family members and D.C. residents.

“We’re gonna continue to work on this issue in a bipartisan way, get to the bottom of what happened, figure out the implications of what has occurred,” Jeffries said. “And also we’re gonna need some real reassurance as to guardrails that are put in place to prevent this type of data breach from ever happening again.”