Confidential information from last week’s «significant data breach» of the Washington, DC, health insurance marketplace, affecting members of Congress, has been posted online, according to Senate staff briefed on the attack.
In an email to the Senate offices, staff members of the Senate Intelligence Committee said they «have learned that the breached information is already on one of the large hacker breach sites.»
The information is «easily accessible to people who know how to look it up» and «includes name, address, [Social Security number], [date of birth]desk phone number, which plan you signed up for, and how much your monthly contribution is.
«This is scary,» the email read.
DC Health Link is the Affordable Care Act online marketplace that manages health care plans for members of Congress and certain Capitol Hill staff, as well as others in the Washington area.
On March 6, before the breach was made public, a user on a dark web forum popular with hackers claimed to have access to data, including names, social security numbers, contact information, and family members, as well as other information, of a handful of DC Health Link users, and claimed to offer the entire database for sale. NBC News has not verified the authenticity of that data.
Earlier this week, another user of the site made the files public to anyone with access to the site. That database, seen by NBC News, includes the purported information of more than 65,000 people, including more than 1,000 with employment information indicating they work for the House or Senate. A Senate office, which asked not to be named to protect the privacy of its staff, confirmed that the personal information of several of its employees in the database was accurate.
On Tuesday, DC Health Liaison Announced which could divide many of its users into two groups: those whose information was publicly exposed, and those whose information was stored in the same way but whose data does not appear to be compromised. It was not clear why there was a distinction, and DC Health Link did not respond to a request for more information.
According to a notice DC Health Link sent to affected users Wednesday, viewed by NBC News, the entity learned of the breach after receiving notification on March 6 that user data «had been exposed on a public forum.» public».
«We immediately launched a thorough investigation and are working with forensic investigators and law enforcement,» the letter said, noting that the exposed personally identifiable information includes «Your name and the name of your DC Health Link enrolled dependents, social security number, date of birth, gender, address, email, and phone number If your DC Health Link coverage is through an employer, then the employer’s name and information about the employer and work email.»
It said it was offering customers whose data was compromised «three years of free credit and identity monitoring for all three credit bureaus» that they can access immediately.
The rape is being investigated by the US Capitol Police and the FBI.
In a letter last week to the head of the DC Health Benefits Exchange Authority, which operates DC Health Link, House Speaker Kevin McCarthy, R-Calif., and Minority Leader Hakeem Jeffries, DN. Y., warned that the “size and scope of affected House clients could be extraordinary” given the thousands of members of Congress and employees who have used DC Health Link since 2014.