DC Health Link data breach: More than 56,000 users affected

Members of the House and Senate were informed Wednesday that hackers may have gained access to their sensitive personal data through the breach of DC Health Link. 

DC Health Link confirmed to FOX 5 that data for some DC Health Link customers was exposed on a public forum.

"We have initiated a comprehensive investigation and are working with forensic investigators and law enforcement. Concurrently, we are taking action to ensure the security and privacy of our users’ personal information," said DC Health Link representative Adam Hudson told FOX 5. "We are in the process of notifying impacted customers and will provide identity and credit monitoring services.

A broker on an online crime forum claimed to have records on 170,000 DC Health Link customers and was offering them for sale for an unspecified amount. The broker claimed they were stolen Monday. The broker told the Associated Press that they were acting on behalf of the seller, who they identified as "thekilob."

In a statement, DC Health Link said, however, that the number of impacted customers was 56,415. You can read the full statement on the data breach below:

"The DC Health Benefit Exchange Authority takes the data breach of enrollee information very seriously. On Monday, March 6, 2023 upon becoming aware of the incident, we immediately launched an investigation, began working with law enforcement, and engaged a third-party forensics firm – Mandiant. While our investigation is ongoing, we’d like to provide an update on the current situation. There are 56,415 customers impacted. The data fields include the following, although not all data fields were necessarily included for each enrollee: name, Social Security number, date of birth, gender, health plan information (e.g. plan name, carrier name, premium amounts, employer contribution, and coverage dates), employer information, enrollee information (e.g. address, email, phone number, race, ethnicity, and citizenship status). We recognize the seriousness of this incident and we have reached out to impacted enrollees to provide three years of free identity and credit monitoring for all three major credit bureaus. The three years of monitoring protection includes all enrolled dependents, spouses and children. In addition, and out of an abundance of caution, we are offering the same three years of monitoring to all other customers, who were not impacted. While this remains an ongoing investigation, our services are running normally and we continue to operate in a state of heightened alert."

Stolen data posted on the forum included Social Security numbers, addresses, names of employers, phone numbers, emails and addresses. 

In an emailed statement, Rep. Joe Morelle of New York said House leadership was informed by Capitol Police that DC Health Link "suffered an extraordinarily large data breach of enrollee information" that posed a "great risk" to members, employees and their family members. "At this time the cause, size, and scope of the data breach impacting the DC Health Link still needs to be determined by the FBI," Morelle said.

The Associated Press contributed to this report.