DC Health Link breach exposed personal data of members of Congress and staff in 2023

What happened

In early March 2023, the DC Health Benefit Exchange Authority told members and the public that DC Health Link had been breached. According to AP News, a misconfigured server allowed an unauthorized party to take enrollee data and post it for sale on a hacking forum. About 56,000 people were affected, including members of Congress, staff, and family members.

The exposed data included names, home addresses, dates of birth, and Social Security numbers. The FBI told congressional leaders it had purchased samples of the leaked data to confirm what was in it.

How it started

DC Health Link runs the federally established health insurance marketplace for the District. The breached server held enrollment records going back years. An after-action review found the cause was human error in server configuration, not a sophisticated attack. The data sat exposed long enough for someone to scrape it and offer it for sale.

Members of Congress and federal staff are exactly the type of population a doxxing campaign targets. Once name, address, and date of birth are on a forum, they get cross-referenced against people-search and broker sites and republished from there.

What this means for you

If you work in federal law enforcement, federal court security, or any sworn role based out of DC, your home address probably isn't sitting on a hacking forum, but it almost certainly is on a broker page. DC has no Daniel's Law analog. The District's address confidentiality program isn't built for sworn personnel.

The federal Lieu Act covers federal judges, but most other federal employees have no statutory removal right. Your option is to remove what's removable, watch the brokers that re-list, and remove it again. That's what we do.

Editorial rules: Only public, already-reported incidents. Never name a non-public victim. Always end with the prevention takeaway tied to our service. Cite at minimum one public source per claim.