At least 17 current or former members of Congress had personal information exposed in the hack of the District of Columbia health insurance data system, according to a top Democrat investigating the matter. And that number is expected to rise, he said.
In an interview with CBS News, Rep. Joe Morelle (D-NY) said hundreds of congressional staff may also have suffered a breach of their personally identifiable information. Morelle said, “I think the number can and may grow. I don’t know what the probability is. But we’ve only been able to look through some of the data that’s gotten out.”
According to multiple reports, the breach might have impacted more than 56,000 people.
The hacking of the DC Health Benefit Exchange Authority data system has triggered at least three investigations and a federal civil lawsuit against the District of Columbia government, CBS News has learned. It has also sent a significant shock through Congress and its staffers.
Democrats organized a members-only briefing with Capitol Police last week and Republicans sought and received permission to join the meeting as well.
Morelle, the top Democrat on the House Committee on House Administration, said the panel has launched a review of the breach, in part to measure how many people who work in Congress have had sensitive information exposed.
In an alert to Congressional staff, the Senate Sergeant at Arms warned the breach exposed the names, Social Security numbers, birth dates, home addresses, email address, phone numbers, race and ethnicity of at least some employees who work at the Capitol.
The FBI has reported that some of the information in the leak has been made available for purchase on the dark web.
Morelle said members of Congress are already in a heightened state of alert about their safety, amid an increase in investigations of threats of political violence. He said, “Members feel increasingly under more scrutiny, and in many cases feel less secure than they probably have and maybe ever have. Whenever information gets out, understandably they are concerned about it.”
The FBI and Capitol Police are both investigating the breach. House leaders have warned the exposure of the sensitive information raises the risk that members and staff could suffer identity theft, financial crimes, and physical threats.
In a members-only briefing in the House last week, Capitol Police filled in attendees about its review of the breach and the impact. Morelle said the meeting was organized by House Democratic Leader Rep. Hakeem Jeffries (D-NY), but was joined by Republicans who were also seeking information about the impact and risks.
A Capitol Police spokesman told CBS News, “Our agents are liaisons with the FBI during this ongoing investigation. There is more work to do before law enforcement can provide more details. In the meantime, the House Chief Administrative Officer is providing helpful information to those who may be impacted.”
Morelle said the House review will also inspect whether the DC Health Benefit Exchange Authority has properly and sufficiently tightened its controls against future attacks and breaches.
House Committee on House Administration Chairman Brian Steil (R-WI) said the committee’s review could last weeks.
A spokesman for the authority told CBS News, “DC Health Link immediately launched a comprehensive investigation, began working with law enforcement, and engaged a third-party expert forensics firm, Mandiant, to investigate. Our investigation remains ongoing, however the issue which led to this data breach has been identified and eliminated. DC Health Link is working closely with Mandiant to conduct a comprehensive review of its security measures and controls, and we will be implementing new protocols going forward.”
The House Chief Administrative Officer has notified House staff they will be offered credit and identity monitoring by the DC Health Link. The notification said they will receive “three years of credit and identity monitoring protection, including tracking through all three credit bureaus, and dark web identity monitoring.”
The DC Health Benefit Exchange Authority is facing a class action civil lawsuit because of the breach. The suit seeks a series of court orders against the health exchange service, including a requirement that it “engage independent third-party security auditors and internal personnel to run automated security monitoring.” The civil suit was filed Friday in Washington DC federal court.