Confidential information from last week’s «significant data breach» of the Washington, DC, health insurance marketplace, affecting members of Congress, has been posted online, according to Senate staff briefed on the attack.
In an email to the Senate offices, the Intelligence Committee staff members said they «have learned that the breached information is already on one of the large hacker breach sites.»
The information is «easily accessible to people who know how to look it up» and «includes name, address, [Social Security number], [date of birth]desk phone number, which plan you signed up for, and how much your monthly contribution is.
«This is scary,» the email read.
DC Health Link is the Affordable Care Act online marketplace that manages health care plans for members of Congress and certain Capitol Hill employees, as well as others in the Washington area.
On March 6, before the breach was made public, a user on a dark web forum popular with hackers claimed to have access to data, including names, social security numbers, contact information, and family members, as well as other information, of a handful of DC Health Link users and claimed to offer the entire database for sale. NBC News has not verified the authenticity of the data.
Another user on the site made the files public to anyone with access to the site this week. That database, seen by NBC News, includes the purported information of more than 65,000 people, including more than 1,000 with employment information indicating they work for the House or Senate. A Senate office, which asked not to be named to protect the privacy of its staff, confirmed that the personal information of several of its employees in the database was accurate.
DC Health Link Announced on Tuesday that could divide many of its users into two groups: those whose information was publicly exposed, and those whose information was stored in the same way but whose data does not appear to have been compromised. It was not clear why there was a distinction, and DC Health Link did not respond to a request for more information.
DC Health Link said in a notice it sent to affected users Wednesday, viewed by NBC News, that it learned of the breach after being notified on March 6 that user data «had been exposed in a forum public».
«We immediately launched a thorough investigation and are working with forensic investigators and law enforcement,» the letter said, noting that the exposed personally identifiable information includes «Your name and the name of your DC Health Link enrolled dependents, social security number, date of birth, gender, address, email, and phone number If your DC Health Link coverage is through an employer, then the employer’s name and information about the employer and work email.»
It said it was offering customers whose data was compromised «three years of free credit and identity monitoring for all three credit bureaus» that they can access immediately.
The United States Capitol Police and the FBI are investigating.
In a letter last week to the head of the DC Health Benefits Exchange Authority, which operates DC Health Link, House Speaker Kevin McCarthy, R-Calif., and Minority Leader Hakeem Jeffries, DN. Y., warned that the «size and scope of affected House clients could be extraordinary» because thousands of members of Congress and congressional staff have used DC Health Link since 2014.