A health data breach at a Washington DC medical insurance marketplace has caused a great deal of concern as it appears that members of Congress were among the compromised parties, who appear to number about 170,000 in total.
The marketplace is used not just by members of Congress, but their employees and other residents of the district that get their coverage through an Affordable Care Act plan. While it does not appear that medical records or personal health information were compromised, Social Security numbers were reportedly stolen along with contact information that was likely meant to be private.
“Hundreds” of members of Congress possibly compromised along with staff
There are natural fears of identity theft whenever there is a health data breach, and that is going to be the main concern for most of the victims. But members of Congress may also have to deal with potential threats that arise from having their home addresses and private phone numbers made available on the dark web.
The health data breach does not appear to be connected to other recent attacks on the FBI and US Marshals Service, and appears to be a for-profit effort rather than an act by a state-backed threat group. But it illustrates why the Biden administration has been pushing so hard for cybersecurity improvements for critical infrastructure sectors, and the health care industry may be next in line for White House attention.
Members of Congress advised to freeze their credit after attack
In addition to Social Security numbers and personal contact information, some of the records reportedly contained names of employers and names of family members. All of this provides attackers with enough material for a variety of confidence schemes and hacking attempts, particularly if it can be combined with stolen information from other data breaches. The Senate sergeant at arms has advised members of Congress to freeze their credit in the wake of the attack, and this may not be a bad idea for anyone else that is impacted. DC Health Link is offering free credit monitoring to those who had records stolen in the health data breach, and some people are additionally eligible for a free subscription to a credit protection service.
Several media sources have verified that a sample of data the attacker made available is legitimate; however, they only included 12 records and many of the people involved either worked for the same company or were family members. There is no indication if members of Congress or their employees were among this data sample.
The health data breach could have been much worse if medical records were stolen, but insurance files contain enough personal information to make the health data breach a very serious incident that requires immediate attention from any and all DC Health Link customers. While it remains to be seen if this will prompt the Biden administration to focus on bolstering the cyber defenses of the health industry next, it should at least raise the topic of encrypting all sensitive data even if there are no regulations specifically forcing patient care outfits to.