Washington DC’s Health Benefit Exchange Authority, also known as DC Health Link, has allegedly suffered a data breach. A database containing personal information about 170,000 individuals was offered for sale on a data leaks forum.
The news of the potential data breach has raised concerns as sensitive personal information including social security numbers, dates of birth, and addresses, apart from health and disease history, are at risk.
A user made a post on an online breach forum, claiming to be in possession of the data from DC Health Link and was selling it on the dark web.
The compromised data reportedly includes subscriber ID, member ID, policy ID, status, first and last names, social security numbers, dates of birth, gender, relationship, benefit type, plan name, and more.
The seller has demanded an undisclosed amount of XMR cryptocurrency for the data and has requested to be contacted through a middleman.
DC Health Link data breach: Why threat actors are targeting health institutions?
DC Health Link is responsible for providing health insurance options to residents of Washington, DC. The authority was established as a part of the Affordable Care Act (ACA) to help individuals and small businesses in the District of Columbia find affordable health coverage.
The potential data breach could affect thousands of individuals who have signed up for health insurance through DC Health Link.
Data breaches can have severe consequences for individuals, including identity theft, financial loss, and other harmful effects. In response to the breach, DC Health Link has released a statement stating that they are investigating the matter and taking appropriate action to ensure the security and privacy of their users’ personal information.
They have also urged users to monitor their financial and personal information and report suspicious activity.
Hospitals and health institutions are attractive targets for hackers due to the vast amounts of sensitive and valuable data they possess. This includes personal and medical information of patients, financial records, and intellectual property such as research and development data.
The Cyber Express has reached out to DC Health Link with enquiries about the incident. We have not received a confirmation from the organization.
US Healthcare and data breaches
DC Health Link is the latest in the long chain of US healthcare services that have faced data breaches. Healthcare providers face data breach risks from multiple sources, as noted by Thomson Reuters Regulatory Intelligence. The three primary sources are employees, third-party vendor tools, and cybercriminals.
The DCH Health System in Alabama in January reported a data-privacy breach caused by an employee accessing electronic medical records without a legitimate business need. The hospital discovered the incident during a routine privacy audit.
“The information that may have been accessed and viewed without authorization by this employee contained the following data elements: name, address, date of birth, social security numbers, date of encounter, diagnoses, vital signs, medications, test results, and clinical/provider notes,” announced the organization.
Further investigation revealed that the employee had also accessed and viewed additional patient records between September 2021 and December 9, 2022, without a valid work-related need.
UCLA Health in January disclosed an issue with third-party analytics tools capturing and transmitting data from an appointment request form.
“UCLA Health recently learned of an issue relating to the use of analytics tools on the UCLA Health website and mobile app,” said the healthcare facility’s disclosure.
“Specifically, UCLA Health’s analytics tools on an appointment request form completed on the UCLA Health website or the UCLA Health mobile app (“Appointment Request Form”) may have captured and transmitted to our third-party service providers certain limited information from the Appointment Request Form.”