District of Columbia: @DCHealthLink data hacked; lawmakers/staffers personal data exposed

Not sure how I missed this story a few weeks back, but it's causing quite a fuss in DC for obvious reasons. Via NBC Washington:

More than 56,000 customers were impacted by the DC Health Link data breach, the DC Health Benefit Exchange Authority revealed Friday.

The data fields compromised were name, Social Security number, birthdate, gender, health plan information, employer information and enrollee information – address, email, phone number, race, ethnicity and citizenship status.

Some 11,000 of the exchange’s more than 100,000 participants work in the House and Senate — in the nation's capital and district offices across the nation — or are relatives.

In a letter to the exchange's director posted on Twitter, House Speaker Kevin McCarthy, R-Calif., and Minority Leader Hakeem Jeffries, D-N.Y., said the breach “significantly increase the risk that Members, staff and their families will experience identity theft, financial crimes, and physical threats.” The stolen data includes Social Security numbers, phones, addresses, emails and employer names.

The FBI said in a brief statement Wednesday evening it was aware of the incident and was assisting.

In the letter, McCarthy and Jeffries said the FBI had not yet determined the extent of the breach but that thousands of House members, employees and their families have enrolled in health insurance through DC Health Link since 2014. “The size and scope of impacted House customers could be extraordinary.”

Here's what the DC Health Link exchange website has to say about it:

What happened?

On Monday, March 6 the DC Health Benefit Exchange Authority (“DC Health Link”) received notice that data for some DC Health Link individuals had been published on a data breach forum. DC Health Link immediately launched a comprehensive investigation, began working with law enforcement, and engaged a third-party expert forensics firm, to investigate.

Has the threat been contained?

The issue which led to this data breach has been identified and eliminated.

What are you doing for impacted individuals?

DC Health Link is notifying all affected individuals and providing three years of identity and credit monitoring for all three major credit bureaus. The three years of monitoring protection includes all enrolled dependents, spouses, and children.

DC Health Link is sending affected individuals notice via their DC Health Link account.

What data has been exposed?

The data fields include the following, although not all data fields were necessarily included for each individual: name, Social Security number, date of birth, gender, health plan information (e.g., plan name, carrier name, premium amounts, employer contribution, and coverage dates), employer information, enrollee information (e.g., address, email, phone number, race, ethnicity, and citizenship status).

What are you doing to make sure this does not happen again?

We are working with the expert forensics firm Mandiant to do a comprehensive review of our security measures and controls, and we will be implementing new protocols going forward.

We understand that the data exposed contained personal information, and we do not take that lightly. That’s why we acted quickly to notify affected individuals and to provide them with identity and credit monitoring protection.

Here's their most recent update, from March 14th:

As a result of our investigation, DC Health Link has identified two distinct groups – (Group 1) individuals we know were impacted by the data breach because their information was taken and posted publicly and (Group 2) individuals whose information we now know was stored in the same manner as the first group but we do not have actual evidence that information for Group 2 was compromised. Please find a description of these groups below, along with DC Health Link’s plan to notify them and provide free identity and credit monitoring services.

• Group 1: Individuals whom we know were impacted because their information was taken and posted publicly. We provided a notice through their DC Health Link account on Thursday, March 9. All people in Group 1 were provided with three years of free identity and credit monitoring services. The three years of monitoring protection includes all enrolled dependents, spouses, and children.

• Group 2: Individuals whose information we now know was stored in the same manner as those in Group 1. These individuals are being notified in an abundance of caution as we cannot say with certainty their information was compromised because we have no evidence of access or download. We expect to complete the data review and notification process in the coming days. Everyone in Group 2 will receive a notice in their DC Health Link account. All individuals in Group 2 will also be provided with three years of free identity and credit monitoring services. The three years of monitoring protection includes all enrolled dependents, spouses, and children.

The issue which led to this data breach has been identified and eliminated. DC Health Link is working with third party forensic experts to conduct a comprehensive review and to strengthen our security defenses.