Cyber Incident Victim: DC Health Link
Date:
Mar 2023
Location:
United States of America
Summary
A significant data breach at DC Health Link exposed personal identifiable information of U.S. House members and staff, potentially affecting thousands of enrollees. The FBI is investigating the incident, wherein threat actors stole sensitive data including names, Social Security Numbers, birthdates, addresses, and contact details, later offering it for sale on hacking forums. Authorities confirmed some data was publicly exposed and purchased by law enforcement, prompting credit monitoring services for all impacted individuals. While the breach's full scope remains under investigation, preliminary findings suggest affected individuals were not specifically targeted. The incident also prompted congressional leaders to seek further details on protective measures for victims.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around March 6, 2023, a threat actor known as IntelBroker advertised a stolen dataset from DC Health Link, the administrator of health insurance plans for U.S. House members, congressional staff, and their families, on a dark web hacking forum. The actor claimed to have breached the DC.gov Health Benefit Exchange Authority and possessed sensitive personal information of approximately 170,000 individuals, listing data fields including names, Social Security Numbers, dates of birth, addresses, email addresses, phone numbers, policy details, employer information, and citizenship status. A sample posted with database headers corroborated the dataset’s comprehensiveness. IntelBroker offered the data for sale in exchange for Monero (XMR) cryptocurrency and stated it had already sold to at least one buyer. The breach was discovered by law enforcement shortly after the forum post became active, prompting the FBI and U.S. Capitol Police to alert congressional leadership on March 7.
House Chief Administrative Officer Catherine L. Szpindor notified affected House members and staff via email on March 7, confirming the FBI’s assessment that account information and personally identifiable information (PII) of "hundreds" of House-affiliated individuals had been stolen. Although the full scope remained unclear initially, both Szpindor and DC Health Benefit Exchange Authority spokesperson Adam Hudson later acknowledged publicly that “thousands of enrollees” were impacted. By March 8, forensic investigations confirmed the exposure of data for some customers, leading DC Health Link to commence notifications, offer identity and credit monitoring to confirmed victims, and extend monitoring to all customers as a precaution. Separate communications from the Senate Sergeant at Arms revealed that Senate office data was also compromised, though limited to names, enrollment dates, relationships, and email addresses—excluding highly sensitive PII like SSNs. The FBI acquired portions of the stolen data during the investigation, as disclosed in a joint letter from House Speaker Kevin McCarthy and Minority Leader Hakeem Jeffries to DC Health Link leadership. This letter emphasized concerns over the potential scale of congressional impacts, given the thousands enrolled since 2014, and warned that heightened media attention could increase risks as threat actors became aware of the data’s high-value targets. Congressional leadership directed DC Health Link to clarify breach specifics, protective measures, and victim support protocols while Capitol Police and the FBI continued investigating the incident’s origins and full extent.