Update: 

On Friday evening, a spokesperson for DC Health Link shared further information about a data breach that began on Monday, March 6.

According to spokesperson Adam Hudson, 56,415 DC Health Link customers were impacted. The breach affected data fields such as name, Social Security number, date of birth, health plan information, employer information, and enrollee information (like phone number, race, citizenship status.) The investigation is still ongoing, according to Hudson. A third-party forensics firm, Mandiant, has been brought on to aid law enforcement.

“While this remains an ongoing investigation, our services are running normally and we continue to operate in a state of heightened alert,” Hudson wrote in a statement Friday night.

Hudson said the DC Health Benefit Exchange Authority reached out to impacted enrollees to provide three years of free identity and credit monitoring, and “out of abundance of caution,” will be offering the same to all other customers, even those who were not impacted.

Original: The D.C. health insurance exchange suffered a serious data breach that could impact thousands of residents, including elected officials in the District.

The scope and scale of the problem is mostly unknown. Adam Hudson, a spokesperson for DC Health Link, the online exchange, confirmed that some customers’ information “has been exposed on a public forum,” and said the agency is working with law enforcement on a “comprehensive investigation.”

The FBI and U.S. Capitol police are both involved in that investigation.

Hudson also said DC Health Link was “in the process of notifying impacted customers and will provide identity and credit monitoring services,” for affected customers, and credit monitoring for all customers regardless of whether their information was implicated.

But multiple people who said they hold insurance plans through DC Health Link were still in the dark Thursday morning about the status of their personal information. Several said a WAMU/DCist callout on Twitter about the breach was the first news they’d heard of the problem.

“I said ‘wait, what’ to this, out loud, so obviously they’re on top of it,” tweeted one person.

“Great news, very comforting,” another added.

The breach was first made public on Wednesday, when reports surfaced of a user on a dark web forum offering personal information from DC Health Link for sale, according to the Associated Press, which contacted the broker.

The little information made public on the incident has come from Capitol Hill, where staff and members were notified of the cybersecurity problem by House and Senate authorities. On the House side, staff received an email from the Chief Administrative Officer indicating that “account information and PII [personally identifiable information] of hundreds of Members and House staff were stolen.” There is no indication that Congress or congressional staff were specifically targeted, and the email said the office expected to have a list of affected individuals later on Wednesday.

In response to the news, House Speaker Kevin McCarthy and Democratic Minority Leader Hakeem Jeffries sent a joint letter to Mila Kofman, the executive director of the DC Health Benefit Exchange Authority, the body that runs DC Health Link.

The letter indicates that the personal information exposed by the breach includes “names of spouses, dependent children, their social security numbers, and home addresses.” It asks for answers to questions regarding the authority’s plans to notify affected customers, more specifics on what information was stolen and how that was determined, and what steps will be taken to prevent future lapses in security.

“This breach significantly increases the risk that Members, staff, and their families will experience identity theft, financial crimes, and physical threats – already an ongoing concern,” the two leaders wrote.

The letter also notes that the FBI purchased the stolen information from the hack on one of the dark web forums on which it appeared. There has been no indication yet of a ransom demand for the data, and the FBI has previously advocated against governments paying ransoms for stolen information or otherwise engaging with cyber criminals, a question states and localities have also wrestled with in recent years.

DC Health Link serves about 100,000 people, according to the website of the DC Health Benefit Exchange Authority. That includes employees at over 5,000 small businesses in D.C. and nearly 11,000 members of Congress and their staff. The online exchange allows customers and businesses to shop for private health insurance plans, a structure put in place under the Affordable Care Act.

The private health insurance currently offered on the marketplace include plans from three UnitedHealth companies, two Aetna Companies, CareFirst BlueCross BlueShield, and Kaiser.

DC Health Link was one of the first of the new exchanges to open to the public in 2013. The authority’s website notes a relationship between DC Health Link and the Massachusetts Health Connector for Business, another health insurance exchange, where the two “share technology and costs.” That partnership began in 2017.

Hudson did not immediately respond to a query about any contractors responsible for site security. Dozens of contractors were involved at the time of the launch.

This is hardly the first data breach for D.C. government services. Last April, the Department of Human Services announced that its electronic benefits program was hacked, leaving cash missing from residents’ EBT cards. And in 2021, hackers of Metropolitan Police Department data demanded a $4 million ransom to return the files. The hackers eventually released 250 gigabytes of what they claimed was stolen MPD data and files. Police later identified a person of interest in the breach.

This story has been updated with additional information about the purchase of the hacked data by the FBI.