The online health insurance marketplace for members of Congress and Washington, D.C., residents was subjected to a hack that compromised the personal identifying information of potentially thousands of lawmakers, their spouses, dependents and employees, according to a letter from House leaders informing their colleagues about the breach and a memo from the Senate’s top security official.
The Capitol Police and the Federal Bureau of Investigation informed Speaker Kevin McCarthy, Republican of California, and Representative Hakeem Jeffries, Democrat of New York and the minority leader, of the attack on the D.C. Health Link marketplace. Federal investigators had been able to purchase personal information about members of Congress and their families on the “dark web” because of the breach, the letter said.
“Right now, our top priority is protecting the safety and security of anyone in the Capitol Hill community affected by the cyber hack,” Mr. McCarthy and Mr. Jeffries wrote on Wednesday, calling the incident an “egregious security breach.”
“The Office of the Chief Administrative Officer will be in contact with important resources including credit and identity theft monitoring services, which we strongly encourage you to utilize,” the lawmakers wrote.
The data of senators and their staffs were also compromised, according to an internal memo from the Senate sergeant-at-arms. That memo stated that the compromised data included “full names, date of enrollment, relationship (self, spouse, child), and email address, but no other personally identifiable information.”
The cause, size and scope of the data breach affecting D.C. Health Link was not immediately known, according to the House leaders, who wrote that they were “being consistently briefed” about the matter by the police and the F.B.I.
But the online health insurance marketplace serves about 11,000 members of Congress and their staffs, and nearly 100,000 people overall.
“This breach significantly increases the risk that members, staff, and their families will experience identity theft, financial crimes, and physical threats — already an ongoing concern,” Mr. McCarthy and Mr. Jeffires wrote. “Fortunately, the individuals selling the information appear unaware of the high-level sensitivity of the confidential information in their possession, and its relation to members of Congress. This will certainly change as media reports more widely publicize the breach.”
House leaders are now demanding answers from Mila Kofman, the director of the D.C. Health Benefit Exchange Authority, a private-public partnership responsible for the District of Columbia’s online health insurance marketplace. Mr. McCarthy and Mr. Jeffries sent a series of pointed questions to Ms. Kofman on Wednesday.
Among them were why the insurance market had not formally alerted individuals whose data was compromised; what specific enrollee information was stolen; and how many lawmakers were impacted.
In a statement on Wednesday evening, Adam Hudson, a spokesman for the authority, confirmed the breach, saying that “data for some D.C. Health Link customers has been exposed on a public forum.”
Mr. Hudson said the agency had begun an investigation.
“Concurrently, we are taking action to ensure the security and privacy of our users’ personal information,” Mr. Hudson said. “We are in the process of notifying impacted customers and will provide identity and credit monitoring services.”