D.C. health insurance exchange reportedly suffers data breach affecting Congress

The U.S. House chief administrative officer said D.C.'s health insurance exchange suffered a data breach affecting members and staff.
u.s. capitol
(Julia Nikhinson / Getty Images)

The agency that runs the public health-insurance marketplace in Washington, D.C., reportedly suffered a data breach Tuesday potentially exposing the personal information of tens of thousands of customers, including members of Congress and their staffs.

The reported breach in DC Health Link, as the exchange is known, has not been publicly acknowledged by the D.C. Health Benefit Exchange Authority, which runs the marketplace. But the incident was made public Wednesday through a memo to U.S. House members and their staffers sent by Catherine Szpindor, the House’s chief administrative officer.

“I have been informed by the United States Capitol Police and DC Health Link of a data breach impacting Members and staff,” the note read. “DC Health Link suffered a significant data breach yesterday potentially exposing the Personal Identifiable Information (PII) of thousands of enrollees. As a Member or employee eligible for health insurance through the DC Health Link, your data may have been comprised.”

Szpindor said she doesn’t know the full scale of the breach, but that the FBI said “that account information and PII of hundreds of Member and House staff were stolen.”


“It is important to note that at this time, it does not appear that Members or the House of Representatives were the specific target of the attack,” Szpindor wrote. She also referred recipients to the three major credit-rating agencies to request a temporary credit freeze.

House Speaker Kevin McCarthy, R-Calif., and Minority Leader Hakeem Jeffries, D-N.Y., have also requested further information from DC Health Link on the extent of the apparent breach, Szpindor wrote.

While DC Health Link is available to all D.C. residents who need to purchase health insurance plans, it draws a large number of customers from Congress. The 2010 Affordable Care Act — which created the nationwide system of health insurance marketplaces — required members and their staffs to enroll in plans either created under the Obama-era law or offered through the exchanges. (Given Congress’ location, the U.S. Office of Personnel Management recommends members and staff use the D.C. market.)

In an emailed statement to StateScoop, a DC Health Link spokesperson confirmed that data for “some customers” was posted to an online forum.

“We have initiated a comprehensive investigation and are working with forensic investigators and law enforcement,” the spokesperson, Adam Hudson, wrote. Concurrently, we are taking action to ensure the security and privacy of our users’ personal information.”


The statement went on that DC Health Link is notifying affected customers, and that it will offer credit- and identity-monitoring services.

Prior to the chief administrative officer’s note, the only public evidence that a breach had occurred was a newsletter published by the threat intelligence firm Cyble, which reported observing criminal forum activity by a user claiming to have DC Health Link customers’ names, insurance numbers, dates of birth, genders, insurance plan types and Social Security numbers.

Latest Podcasts