The FBI has purchased personal data stolen from a Washington D.C. health insurance marketplace whose subscribers included thousands of members of Congress, their staff, and their families, after the information was put up for sale on a criminal website.
This came after the hack earlier this week at DC Health Link, an insurance provider for the District of Columbia, the federal district home to the U.S. capitol. It is administered by the District’s Health Benefit Exchange Authority.
It is believed the FBI made the move to protect the personal information of the estimated 11,000 Congressional and related users of the marketplace, and keep the data from being used to impersonate or spam them.
By Thursday, an Associated Press article in the Washington Post said the offer and sample stolen data posted to the forum had been removed. However, it isn’t known if copies of the stolen data are floating around elsewhere.
In a letter sent to DC Health Link, House Speaker Kevin McCarthy and Minority Leader Hakeem Jeffries said the hacker appeared to be unaware that the stolen data included information on politicians and others who work in Congress.
The Associated Press report said some 11,000 of the exchange’s more than 100,000 participants work in the House and Senate or are relatives.
In the letter to DC Health Link, the Congressional leaders say the FBI told them the agency was able to purchase the data on the dark web, and that it included names of spouses, dependent children, Social Security numbers and home addresses.
News of the data breach first came Wednesday from the news site The Daily Caller, which quoted from a letter by the House’s Chief Administrative Officer.
The most concerning issue with this breach was that it was undetected until the data was for sale, said Thomas Richards, principal security consultant for Synopsys Software’s integrity group.
“This, unfortunately, points to a failure in both the prevention and detection of such attacks. The sensitivity and types of data breached should trigger a thorough review of the DC Health Link cybersecurity policies and procedures. Without knowing the root cause of the breach, it is difficult to offer specific remediation guidance to prevent such attacks. In a situation like this, the affected systems need to be forensically examined to determine the scope of the breach and to prevent any further data leakage. The attackers could still have access inside the DC Health Link network, so any anomalous network connections or activity needs to be reviewed.”
The DC Health Link data breach underlines how important it is for healthcare organizations to implement rigorous security controls,” said Robert Prigge, CEO of Jumio. “With personally identifiable information (PII), such as Social Security numbers, phone numbers, dates of birth and physical addresses stolen during the attack, U.S. House of Representative members, their staff and their families find themselves at risk of insurance fraud, identity theft and account takeover attacks. The stolen information is already being sold online, causing further complications for the victims.”