House Members at Risk After Insurer Data Breach

Written by

Hundreds of House of Representative members and staffers may have had insurance and personally identifiable information (PII) stolen from an insurance provider, it has emerged.

A correspondent for right-wing news site Daily Caller tweeted screenshots of an email from House chief administrative officer, Catherine Szpindor, to possible victims, revealing the incident.

The company in question is health insurance marketplace DC Health Link, which was created and is managed by the DC Health Benefit Exchange Authority (HBX).

“DC Health Link suffered a significant data breach yesterday potentially exposing the Personal Identifiable Information (PII) of thousands of enrollees. As a member or employee eligible for health insurance through the DC Health Link, your data may have been comprised,” Szpindor wrote.

“Currently, I do not know the size and scope of the breach, but have been informed by the Federal Bureau of Investigation (FBI) that account information and PII of hundreds of member and House staff were stolen.”

Szpindor urged affected parties to request a credit freeze with the major bureaus, in order to prevent threat actors from using the stolen info to take out lines of credit in their name.

Although House members are not thought to have been the specific target of the attack, it will be concerning that potentially so many had sensitive details lifted from a third party. Those details could theoretically be used by hostile states for further espionage and phishing operations.

"The big question is how the House and other US federal bodies can now avoid opportunistic attacks stemming from this leak," warned Gerasim Hovhannisyan, CEO of EasyDMARC. "In particular, there’s a big risk of a huge spike in phishing attacks from sophisticated cyber-criminals leveraging the intelligence that can be found in the leaked data."

One threat actor, IntelBroker, is already selling the data as part of a trove that it claims to have stolen from the Health Benefit Exchange Authority, listing 170,000 victims.

According to a screenshot posted to Twitter, the haul includes countless insurance details plus home and work emails, home addresses, phone numbers, Social Security numbers, dates of birth, ethnicity and citizen status.

What’s hot on Infosecurity Magazine?