Capitol in Washington at night showing health data breach affecting members of Congress

Health Data Breach Exposes Members of Congress, 170K Records Offered on Underground Forum

A health data breach appears to have exposed the sensitive personal information of members of Congress and their employees, as some have been offered identity theft and credit monitoring services.

DC Health Link, the health insurance marketplace for the District of Columbia, is used by many (but not all) members of Congress and their assorted staff. The organization has reported a breach impacting an unspecified amount of customers, but a listing on a dark web forum claims to have 170,000 stolen records for sale.

Some members of Congress have social security numbers, phone numbers, home addresses exposed

A sample of the data posted on the dark web, verified by a number of media outlets, contains an array of the sort of personal information that would be included on patient records or insurance agreements: Social Security numbers, home addresses, email addresses, phone numbers, and names of family members and employers. As there are only 535 members of Congress, the vast bulk of these victims are likely staffers or other residents of the District that are eligible for this particular health marketplace.

DC Health Link has offered only limited information about the health data breach thus far, saying that it was working with law enforcement and that all impacted parties are being offered free credit monitoring. Some have additionally been offered identity theft protection. The Senate sergeant at arms has additionally sent out an email to members advising them to freeze their credit for the time being.

Some questions about the veracity and extent of the health data breach do remain, however. While the sample data set contained valid information, it only contained the records of 12 individuals and all of them either worked for the same company or were family members of these employees. While it appears at this point that there was some sort of legitimate breach at DC Health Link, it is not clear if the attacker has the 170,00 records they claim (or any information at all regarding members of Congress). The stolen data is also being offered by a broker, who claims they are acting on behalf of the hacker.

Avishai Avivi, CISO at SafeBreach, notes that while this was a serious breach it looks to have not been as extensive as it could have been: “Considering this was a health exchange, the data exposed could have easily included Protected Health Information (PHI). While malicious actors can try and use the data included in the breach to attempt further breaches, the PII elements in question are not too dangerous. To those of us who remember the days before the internet exploded, phone companies used to distribute free books with thousands of PII records including full names, physical address, and phone numbers.”

The attackers do not appear to have deployed ransomware as part of the breach.

Health data breach may have impacted hundreds of members of Congress

While identity thieves may have a hard time impersonating members of Congress, the health data breach has raised serious alarms given that threats against them (and federal officials) are up in recent years. These increases have been sharpest over the past seven years, since the election of Donald Trump seemed to widen partisan divides to a degree greater than ever before, but concerns of this nature have been particularly acute since the Capitol riot of January 6 2021 took place. Since then the halls of Congress have taken on a series of security improvements such as periodic fencing during certain events, more training for the police on site, and increased powers to declare a state of emergency and call on the National Guard.

Members of Congress are far from the only ones facing danger from the health data breach, however. Medical records are extremely lucrative as one-stop sources of nearly everything needed for identity theft and blackmail, and possibly over 100,000 clients of the health marketplace may now be dealing with future attacks. It is unclear if the records have been sold yet, or even what the asking price is, but there will no doubt be very strong interest in them. At minimum, clients of DC Health should be on the lookout for unusual emails and text messages.

Andrew Barratt, Vice President at Coalfire, thinks that the stolen data may be sold more carefully due to attracting an unusual level of attention: “Moving forward, I believe that they’ll probably still try to monetize the data, perhaps in pockets. Deepening on the structure of the data and if there are ‘canaries’ in the data it may well be carved up and ‘washed’ with other data sets making the origins difficult to establish. This is where data-canaries can be useful. These are records that are left in the underlying data structure – that appear on the surface to be valid – a sort of John Doe if you will – but that have specific characteristics deliberately randomized and made unique that they can be used to attribute a block of data to a probable source.”

Federal agencies have seen something of a small wave of breaches to begin 2023, but there is not yet any evidence or indication that the health data breach is part of a coordinated campaign. The U.S. Marshals Service was hit by ransomware in mid-February, and reported losing some sensitive data about ongoing investigations and internal procedures in addition to employee personal information. The FBI’s field office in New York was also breached around the same time, but the agency provided very little information and it is unclear if ransomware was involved.

Health care and public health is on the CISA list of critical infrastructure sectors slated for enhanced cybersecurity requirements, but the industry has not received any special orders as of yet. Other sectors have already been ordered to upgrade their cyber defenses by either executive orders (in the case of oil and gas) or directives from an agency that has regulatory power over them (such as the EPA addressing water utilities and the TSA addressing the railroads and aviation industry). The administration only just recently issued its National Cybersecurity Strategy calling for new and uniform standards across these sectors, but also handing off some of the work to Congress to debate.

Dror Liwer, co-founder of Coro, sees this as a call to the healthcare industry to encrypt all sensitive data at rest whether or not new regulations emerge: “Healthcare records are the most sought after by attackers as they represent the highest profit per record on the dark web. Companies storing such records must employ encryption to ensure that even if a perimeter breach occurs, the data remains safe. For most organizations, a breach is difficult to identify as cybersecurity products are siloed and don’t talk to each other. This leaves organizations with the need to rely on the cybersecurity team to ingest alerts and extract intelligence from them across domains. It’s an unreasonable expectation, considering that according to our data, healthcare providers are attacked 11.4 times a week per employee (on average).”