DC health exchange breach affects former national security officials, Congress
A sample of data stolen from Washington, D.C.’s health insurance exchange includes the personal information of a prominent former defense official and employees of lobbying firms, an indication that the breach may be the latest in a string to expose the personal information belonging to members of the U.S. national security establishment.
The District of Columbia’s health insurance exchange confirmed Wednesday that it was working with law enforcement to investigate data posted on a public forum that was purportedly obtained by a breach of the exchange. It’s unclear how many individuals the alleged breach may have impacted.
A sample of the stolen dataset reviewed by CyberScoop indicates that the victims of the breach range from some of Washington’s K-Street powerbrokers to coffee shop employees. Both businesses and individuals can use the exchange to purchase health insurance policies, and among its customers are lobbying firms, civil society groups, a dentist office and a design firm.
CyberScoop is not naming any of the affected individuals nor their employers, but the sample data set includes one firm that boasts a large number of employees who have gone on to work in the White House. The former defense official whose alleged personal data CyberScoop viewed is a mainstay of the city’s national-security establishment. Neither the firm nor the former official returned requests for comment.
Security experts caution that the consequences of a breach like this are difficult to predict. “The hard thing about this kind of data breach is it’s not just the data alone, it’s when you combine the data with other data sets that nation states or bad actors might have,” said Jamil Jaffer, founder and executive director of the National Security Institute at George Mason University. Jaffer called the breach “deeply concerning” especially given that it may affect members of Congress and their staff.
CyberScoop was able to verify portions of the dataset available in the public record and the authenticity of one victim’s leaked data. The Associated Press verified the authenticity of the data with two victims. It’s not clear what time frame the data obtained by the hacker spans. The leaked data includes names, email addresses, dates of birth, home addresses, social security numbers and details about insurance policies.
A person using the moniker “IntelBroker” first posted the stolen data on March 6 to an online forum, where data breaches are publicized and data is either published for download or offered for sale. That post was subsequently pulled down, and “IntelBroker” is now listed permanently banned.
Three days later, on March 9, a second user going by the name “Denfur” — whose signature on the site reads “Glory to Russia!” — posted what they claimed was the full database, along with a sample that includes 200 entries. The full dataset includes 67,565 unique entries and about 55,000 “unique people,” Denfur claimed.
At about midday Thursday Denfur also claimed that “the intended target WAS U.S. Politicians and members of U.S. Government.” The quote appeared alongside a link to a news story about the incident quoting House of Representatives Chief Administrative Officer Catherine Szpindor as saying that the members of Congress were not the specific target of the attack.
The breach came to light after members of Congress and their staff were warned that their data may have been exposed.
IntelBroker did not respond to a request for comment. A review of IntelBroker’s activity on the forum shows multiple instances in which they claimed to have either hacked entities themselves or shared information hacked or scraped by others, including data supposedly linked to the U.S. Department of Defense, the Department of Health and Human Services and other U.S. government information.
A spokesperson for the FBI said the bureau is aware of the incident and is investigating but declined to comment further. According to a letter from congressional leaders to the head of the DC exchange, the FBI has purchased some of the stolen data on the dark web, NBC News reported.
DC Health Link confirmed that the data for some customers had been exposed on a public forum and that it was working with law enforcement to investigate.
“We are in the process of notifying impacted customers and will provide identity and credit monitoring services,” Adam Hudson, public information officer at the DC Health Benefit Exchange Authority, told CyberScoop in an email Thursday. “In addition, and out of an abundance of caution, we will also provide credit monitoring services for all of our customers. The investigation is still ongoing and we will provide more information as we have more to share.”
As of Thursday afternoon, several DC Health Link customers told CyberScoop that they hadn’t received any notice from the exchange about the incident any had only become aware of it through the news. One victim reached by CyberScoop Thursday said the data in the sample appeared legitimate and that they had not been contacted by anybody about the breach prior to CyberScoop’s call.
This week’s breach is far from the first time U.S. government officials — current and former — have seen their personal information exposed. The 2015 breach of the Office of Personnel Management saw Chinese hackers obtain the personal data of 21.5 million people collected as part of background investigations. A Republican-led House Oversight Committee warned in 2016 that the breach would “harm counterintelligence efforts for at least a generation to come.” The breach has also cost the federal government billions in identity monitoring services.