WASHINGTON — A top House official said that a “significant data breach” at the health insurance marketplace for Washington, D.C., on Tuesday potentially exposed personal identifiable information of hundreds of lawmakers and staff.
In a letter obtained by NBC News, Chief Administrative Officer Catherine L. Szpindor said Wednesday that the U.S. Capitol Police and the FBI had alerted her to a data breach at DC Health Link, the Affordable Care Act online marketplace that administers health care plans for members of Congress and certain Capitol Hill staff.
“Currently, I do not know the size and scope of the breach, but have been informed by the Federal Bureau of Investigation (FBI) that account information and [personally identifiable information] of hundreds of Member and House staff were stolen,” Szpindor said. “I expect to have access to the list of impacted enrollees later today and will notify you directly if your information was compromised.”
Szpindor added that it did not appear that House lawmakers were “the specific target of the attack” on DC Health Link.
A reporter for The Daily Caller first tweeted Szpindor’s letter.
Out of an “abundance of caution,” Szpindor said, lawmakers may opt to freeze family credit at three major credit bureaus, Equifax, Experian and Transunion.
The data breach has also affected Senate offices, according to an email sent to Senate offices Wednesday afternoon that said the Senate Sergeant at Arms was informed by law enforcement about a data breach.
The notice said that the “data included the full names, date of enrollment, relationship (self, spouse, child), and email address, but no other Personally Identifiable Information (PII).”
A spokesperson for the DC Health Benefit Exchange Authority, which operates DC Health Link, said Wednesday that it had launched an investigation into the breach.
“We have initiated a comprehensive investigation and are working with forensic investigators and law enforcement. Concurrently, we are taking action to ensure the security and privacy of our users’ personal information,” the spokesperson said in a statement. “We are in the process of notifying impacted customers and will provide identity and credit monitoring services.”
Credit monitoring services were also being provided for all affected customers, the spokesperson said.
In a statement, the Capitol Police said, “Our agents are assisting the FBI with the ongoing investigation. There is more work to do before law enforcement can provide more details. The House CAO will be providing helpful information to those who may be impacted.”
The FBI said it “is aware of this incident and is assisting. As this is an ongoing investigation, we do not have any additional information to provide at this time.”
According to Szpindor’s letter, House Speaker Kevin McCarthy, R-Calif., and House Minority Leader Hakeem Jeffries, D-N.Y., requested additional information from DC Health Link on what data was taken, who was affected and what steps were being taken to protect House victims of the breach.
A letter from McCarthy and Jeffries to the head of the DC Health Benefit Exchange Authority said that the FBI purchased some of the hacked material on the dark web, including Social Security numbers and other sensitive information connected to members of Congress and their staffs.
In the letter obtained by NBC News, the two House leaders also warned about the potential fallout from the breach, saying the “size and scope of impacted House customers could be extraordinary” due to the thousands of congressional members and employees who have used DC Health Link since 2014.
“Fortunately, the individuals selling the information appear unaware of the high-level sensitivity of the confidential information in their possession, and its relation to Members of Congress,” the lawmakers wrote. “This will certainly change as media reports more widely publicize the breach.”
In a post on a popular dark web hacker forum viewed by NBC News on Wednesday night, a well-established user advertised what they claimed was the Health Link data set for sale.
The post, which was published Monday and edited Tuesday — before the breach was disclosed to congressional members and staff — claimed to have the personal information, including names, birthdays, spouses and Social Security numbers, of 170,000 Health Link customers. The hacker posted information from 11 users as a sample. The post now notes that the data has been sold.
NBC News has not verified the authenticity of the personal data that was posted online.
The House Administration Committee tweeted that panel chairman Bryan Steil, R-Wis., was aware of the data breach “and is working with the [chief administrative officer] to ensure the vendor takes necessary steps to protect the PII of any impacted member, staff, and their families.”