Hacking the DC Health Link insurer: revealed the data of US congressmen

An unknown hacker hacked into the networks of DC Health Link, an insurance company that provides health insurance to US lawmakers and Washington residents. The hack exposed confidential information about 21 current members of Congress.

The incident was first reported last week, but the aftermath of the hack has only come to light now after a user named Denfur posted what he claimed was the full DC Health Link dataset on a hacker forum.

The file contains 67,565 unique records and personal data of 56,415 of the company’s clients. The dataset is authentic and includes:

• names;
• email addresses;
• dates of birth;
• address of residence;
• social security numbers (SSN);
• insurance policy information.

The published dataset also contains more than 1,800 entries relating to congressmen, their families, and other congressional staff. Other information provided in the stolen documents:

• personal data relating to at least 20 foreign embassies and thousands of companies (employees of some firms now work in the White House);
• personal data of former employees of the NSA and the US Department of Defense;
• data from Washington residents who have purchased insurance—lobbying firms, civil society groups, dental clinics, design firms, and others.

On March 13, Denfur stated that the attack vector was an open and unprotected database. According to the hacker, he gained access to the database by simply connecting to it – no verification was required. He added that the base had probably been open for over a year. The hacker also threatened that after some time he would release more information, since, according to him, he hacked several databases.

According to an anonymous source, to access the database, it is not enough to “just connect” – it requires some knowledge of the database software. DC Health Link hired information security company Mandiant to investigate the incident.

Speaker of the House of Representatives Kevin McCarthy declared that the breach “significantly increases the risk that congressional members and staff, as well as their families, will face identity theft, financial crime, and physical threats.”