Lawsuits Mount Against DC Health Link Over Breach of Congress Members’ Data

At least two class action lawsuits have been filed against the online health insurance marketplace, DC Health Link, over a recent hacking incident which, according to DC Health link, affected 56,415 customers. DC Health Link is a public-private healthcare exchange program for residents of Washington D.C. that is operated by the DC Health Benefit Exchange Authority (DCHBX). DC Health Link has approximately 100,000 customers including 11,000 Congressional staff and Members of Congress.

DC Health Link confirmed in a March 6, 2023, statement that Mandiant had been engaged to assist with the investigation and said 56,415 customers had been affected and had some of their personal information accessed or stolen. The compromised information included: name, birth date, gender, health plan information (plan name, carrier name, premium amount, employer contribution, coverage dates, employer information, enrollee information (name, address, email address, phone number, race, ethnicity, citizenship status).  The types of data involved varied from individual to individual.

Affected individuals have been offered three years of credit monitoring protection at no cost, which includes cover for their spouses, dependents, and children. DC Health Link said those monitoring services were being offered to all customers, even if they were not one of the 56,415 individuals known to be affected. DC Health Link did not provide any details on how the breach occurred and said the investigation is ongoing.

On the same day of the announcement, a member of a popular hacking forum with the moniker IntelBroker claimed to have obtained the data of 170,000 individuals in the attack and was offering to sell the stolen data. A sample of the stolen data was published online. Initially, it appeared that the individuals behind the attack were unaware that the data of Congress Members and Congressional staff were in the dataset. However, another user of the hacking forum – Denfur – jointly claimed responsibility for the attack and said U.S. politicians were targeted out of allegiance to Russia and they targeted Washington D.C. services that politicians would use. In a conversation with CyberScoop, Denfur said the data would be released when there was no longer a use for it and said initial access was gained through an open, exposed database.

The lawsuits were filed in the U.S. District Court for the District of Columbia and allege DC Health Link/DCHBX were negligent by failing to secure the sensitive data of customers. Both lawsuits suggest the breach is more extensive than DC Health Link’s statement, with one suggesting up to 506,000 individuals have potentially been affected and the other putting the figure between 56,000 and 107,000 individuals.

One of the lawsuits was filed by Milberg Coleman Bryson Phillips Grossman PLLC on behalf of plaintiff Angelo Meranda against DC Health Link, Mila Kofman, Executive Director of DCHBX, the Executive Board of DCHBX, and Diane C. Lewis, Chairperson of the Executive Board of DCHBX. The other lawsuit named DC Health Link as the sole defendant, and was filed by Gary E. Mason of Mason LLP on behalf of plaintiff Jenni Suhr. The lawsuits seek class action status, monetary damages, and for DCHBX/DC Health Link to make improvements to security to prevent further data breaches.

The post Lawsuits Mount Against DC Health Link Over Breach of Congress Members’ Data appeared first on HIPAA Journal.