Skip to main content
Press Release Published: Apr 19, 2023

Mace: D.C. Health Data Breach Resulted in Sale of Thousands of Individuals’ Information on the Dark Web

WASHINGTON—House Committee on Oversight and Accountability Subcommittee on Cybersecurity, Information Technology, and Government Innovation Chairwoman Nancy Mace (R-S.C.). today delivered opening remarks at a joint hearing with House Administration’s Subcommittee on Oversight. Rep. Mace highlighted how a breach of D.C. Health Link data was the latest in a troubling string of cyber-breaches and enabled hackers to post personally identifiable information online, putting thousands of individuals at risk.

Below are Subcommittee Chairwoman Mace’s remarks as prepared for delivery.

Good afternoon, and welcome.

This is a joint hearing of the panel I chair – the Subcommittee on Cybersecurity, Information Technology, and Government Innovation of the House Oversight and Accountability Committee – and the House Administration Committee’s Subcommittee on Oversight, which is chaired by the gentleman from Georgia, Mr. Loudermilk.

Since this is a joint hearing, we will have opening statements from the chair and ranking member of both subcommittees. That’s a total of four opening statements, so I will attempt to keep my own brief.

First, I want to explain why we are conducting this hearing jointly.

The data breach we’re going to get to the bottom of today is of great concern to Members of Congress and staff who – along with many of their family members – participate in the DC Health Exchange.

But the overwhelming majority – about ninety percent – of Exchange enrollees are not affiliated with Congress. They are people who get health insurance through the Exchange as individuals or as employees of one of the 5,000 participating small businesses.

So, this data breach is a particular concern of the Congress. But it’s also the latest in a troubling string of cyber-breaches exposing the confidential data of ordinary Americans. All too often, these breaches involve government agencies or programs to whom people are entrusting their most personal information.

We know the recent data breach at the DC Health Benefit Exchange Authority resulted in the theft, sale, and public posting of confidential personal information of tens of thousands of individuals getting health insurance coverage via the Exchange.

And that may not be the full extent of the breach. Indeed, the vulnerability through which the breach occurred may have exposed the data of as many as 200,000 individuals to hackers. 

Last month, several internal health insurance enrollment reports maintained by DC Health Link were accessed without authorization and posted online.

These excel spreadsheets sold and posted on the Dark Web contain dozens of data fields of personal information on each Exchange enrollee listed – Name, Age, Social Security Number, Telephone Numbers, Home Address, Mailing Address, Email Address, Employer, Health Plan, Health Insurance Premium, Race, Ethnicity, Citizenship Status and more.

The advent of AI is only going to make breaches like this even more vulnerable to personal data. It will only get worse if businesses and government agencies are ill prepared for what lies ahead.

People need to be able to sign up for health care without surrendering to public view their most confidential data.

So, the subcommittees are convening here today to find out – with the help of our witnesses – How this data breach happened; Who is responsible; How they are being held accountable; and What is being done to ensure it does not happen again.

With that, I yield to the Ranking Member of my Subcommittee, Mr. Connolly of Virginia.