By Lisa Mascaro and Frank Bajak

House leaders say the impact of a hack of a health insurance marketplace used by members of Congress “could be extraordinary,” exposing sensitive personal data of lawmakers, their employees and families. In all, thousands of people could be affected.

DC Health Link, which runs the exchange, said an unspecified number of customers were impacted and it was notifying them and working with law enforcement to quantify the damage. It said it was offering identity theft service to those affected and extending credit monitoring to all customers.

Some 11,000 of the exchange’s more than 100,000 participants work in the House and Senate — in the nation's capital and district offices across the nation — or are relatives.

In a letter to the exchange's director posted on Twitter, House Speaker Kevin McCarthy, R-Calif., and Minority Leader Hakeem Jeffries, D-N.Y., said the breach “significantly increase the risk that Members, staff and their families will experience identity theft, financial crimes, and physical threats.” The stolen data includes Social Security numbers, phones, addresses, emails and employer names.

The FBI said in a brief statement Wednesday evening it was aware of the incident and was assisting.

In the letter, McCarthy and Jeffries said the FBI had not yet determined the extent of the breach but that thousands of House members, employees and their families have enrolled in health insurance through DC Health Link since 2014. “The size and scope of impacted House customers could be extraordinary.”

They said the FBI told them it was able to purchase the stolen data on the dark web, where it was offered for sale for an unspecified amount Monday on a hacker forum popular with cybercriminals.

It was not clear, though, whether and how the FBI could guarantee that copies of the stolen data were not circulating in the cybercrime underworld. Indeed, on Thursday, a new user on the forum claimed a hacker known as “thekilob” had stolen more than 55,000 records and exclaimed “Glory to Russia” in Cyrillic. Some of the most active cybercriminals are Russian speakers and operate with little interference from the Kremlin.

The user posted 200 records from the hack online and The Associated Press confirmed the sample's authenticity with two of the victims listed.

"This is big. This isn't just like regular folks. This is everyone," said one victim who works in Washington, D.C. In all, 24 people in her office had their records in the dump. The AP is not naming victims or their workplaces to avoid further potential harm.

Sample data posted to the hacker forum by a different account — and removed overnight Thursday — listed data for a dozen DC Link participants. The AP reached one by phone.

“Oh my God,” the man said, when informed the information was public. All 12 people listed work for the same company or are family members.

In an email to all Senate email account holders on Wednesday, the sergeant at arms recommended that anyone registered on the health insurance exchange freeze their credit to prevent identity theft.

An email sent out by the office of the Chief Administrative Office of the House on behalf of McCarthy and Jeffries called the breach “egregious” and urged members to use credit and identity theft monitoring resources.

In an emailed statement on Wednesday, Rep. Joe Morelle of New York said House leadership was informed by Capitol Police that DC Health Link “suffered an extraordinarily large data breach of enrollee information" that posed a “great risk” to members, employees and their family members. He said the FBI was still determining the “cause, size, and scope of the data breach.”

The hack follows several recent breaches affecting U.S. agencies. Hackers broke into a U.S. Marshals Service computer system and activated ransomware on Feb. 17 after stealing personally identifiable data about agency employees and targets of investigations.

An FBI computer system was recently breached at the bureau's New York field office, CNN reported in mid-February. Asked about that intrusion, the FBI issued a statement calling it "an isolated incident that has been contained.” It declined further comment, including when it occurred and whether ransomware was involved.

There was no indication the DC Health breach was ransomware-related.

___

Bajak reported from Boston.

Share:
More In Technology
Spain fines Airbnb $75 million for unlicensed tourist rentals
Spain's government has fined Airbnb 64 million euros or $75 million for advertising unlicensed tourist rentals. The consumer rights ministry announced the fine on Monday. The ministry stated that many listings lacked proper license numbers or included incorrect information. The move is part of Spain's ongoing efforts to regulate short-term rental companies amid a housing affordability crisis especially in popular urban areas. The ministry ordered Airbnb in May to remove around 65,000 listings for similar violations. The government's consumer rights minister emphasized the impact on families struggling with housing. Airbnb said it plans to challenge the fine in court.
Militant groups are experimenting with AI, and the risks are expected to grow
The Islamic State group and other militant organizations are experimenting with artificial intelligence as a tool to boost recruitment and refine their operations. National security experts say that just as businesses, governments and individuals have embraced AI, extremist groups also will look to harness the power of AI. That means aiming to improve their cyberattacks, breaking into sensitive networks and creating deepfakes that spread confusion and fear. Leaders in Washington have responded with calls to investigate how militant groups are using AI and seek ways to encourage tech companies to share more about how their products are being potentially misused.
Trump signs executive order to block state AI regulations
President Donald Trump has signed an executive order to block states from regulating artificial intelligence. He argues that heavy regulations could stifle the industry, especially given competition from China. Trump says the U.S. needs a unified approach to AI regulation to avoid complications from state-by-state rules. The order directs the administration to draw up a list of problematic regulations for the Attorney General to challenge. States with laws could lose access to broadband funding, according to the text of the order. Some states have already passed AI laws focusing on transparency and limiting data collection.
San Francisco woman gives birth in a Waymo self-driving taxi
Waymo's self-driving taxis have been in the spotlight for both negative and positive reasons. This week, the automated ride-hailing taxis went viral after a San Francisco woman gave birth inside a Waymo taxi while on her way to the hospital. A Waymo spokesperson on Wednesday confirmed the unusual delivery. It said the company's rider support team detected unusual activity inside the vehicle and alerted 911. The taxi arrived safely at the hospital before emergency services. Waymo's popularity is growing despite heightened scrutiny following an illegal U-turn and the death of a San Francisco cat. The company, owned by Alphabet, says it is proud to serve riders of all ages.
OpenAI names Slack CEO Dresser as first chief of revenue
OpenAI has appointed Slack CEO Denise Dresser as its first chief of revenue. Dresser will oversee global revenue strategy and help businesses integrate AI into daily operations. OpenAI CEO Sam Altman recently emphasized improving ChatGPT, which now has over 800 million weekly users. Despite its success, OpenAI faces competition from companies like Google and concerns about profitability. The company earns money from premium ChatGPT subscriptions but hasn't ventured into advertising. Altman had recently announced delays in developing new products like AI agents and a personal assistant.
Trump approves sale of more advanced Nvidia computer chips used in AI to China
President Donald Trump says he will allow Nvidia to sell its H200 computer chip used in the development of artificial intelligence to “approved customers” in China. Trump said Monday on his social media site that he had informed China’s leader Xi Jinping and “President Xi responded positively!” There had been concerns about allowing advanced computer chips into China as it could help them to compete against the U.S. in building out AI capabilities. But there has also been a desire to develop the AI ecosystem with American companies such as chipmaker Nvidia.
Load More