‘Extraordinary, Egregious’ Data Breach at House and Senate

Senators, representatives and staffers suffer PII leak: Could it finally kickstart some action?

It might affect as many as 11,000, we’re told. Insurance marketplace DC Health Link appears to have lost control of some highly sensitive healthcare information.

By the people, for the people? In today’s SB Blogwatch, we wait to see how equal we really are.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Austria’s bizarre Eurovision entry.

Capitol Trouble

What’s the craic? Henry Rodgers and Brian Clark broke the story—“Data Breach Potentially Exposed Private Info Of Lawmakers And Staff”:

Personal identifiable information
The data breach reportedly affected DC Health Link, according to the House’s Chief Administrative Officer Catherine Szpindor. [She] detailed how the personal identifiable information of thousands of members enrolled with the healthcare administrator was potentially leaked.

How bad is it? Extraordinarily, egregiously bad, according to Lisa Mascaro and Frank Bajak—“Breach could expose lawmakers and staff”:

Identity theft
House leaders say the impact of a hack of a health insurance marketplace used by members of Congress “could be extraordinary,” exposing sensitive personal data of lawmakers, their employees and families. … The stolen data includes Social Security numbers, phones, addresses, emails and employer names.

House Speaker Kevin McCarthy, R-Calif., and Minority Leader Hakeem Jeffries, D-N.Y., said the breach “significantly increase the risk that Members, staff and their families will experience identity theft, financial crimes, and physical threats.” … The FBI told them it was able to purchase the stolen data on the dark web.

In an email to all Senate email account holders on Wednesday, the sergeant at arms recommended that anyone registered on the health insurance exchange freeze their credit to prevent identity theft. … The Chief Administrative Office of the House on behalf of McCarthy and Jeffries called the breach “egregious.”

Hair on fire! Sean Lyngaas adds nuance—“Data breach more ‘extensive’ than previously known”:

Others were less alarmed. “I can’t get all that worked up about this, honestly,” [said] a Senate staffer [adding] China “got all my data already in the OPM hack,” … referring to the 2014-2015 breach of the Office of Personnel Management that compromised millions of US government personnel records.

I mean, it doesn’t sound like hugely personal info. But jamesjamesnamedtwice has chapter and verse:

The header of the demo file … says:
Subscriber ID,Member ID,Policy ID,Status,First Name,Last Name,SSN,DOB,Gender,Relationship,Benefit Type,Plan Name,HIOS ID,Plan Metal Level,Carrier Name,Premium Amount,Premium Total,Policy APTC,Policy Employer Contribution,Coverage Start,Coverage End,Employer Name,Employer DBA,Employer FEIN,Employer HBX ID,Home Address,Mailing Address,Work Email,Home Email,Phone Number,Broker,Race,Ethnicity,Citizen Status,Plan Year Start,Plan Year End,Plan Year Status

Who’s to blame? CaptainOfSpray knows where to point the finger:

Do not trust insurance companies. In several decades of IT consulting, I have repeatedly encountered insurance companies where everyone was an entitled, self-satisfied, arrogant ***** who believed that their IT was perfect, that they knew everything, and they could not be told about the gaps in their knowledge; and they believed everyone they met had to jump to satisfy their every demand. And it always turned out that the individual involved did not have the authority to decide anything.

Best policy: Leave them to rot in their own juice.

There oughta be a law. There is, according to u/Educational-Ice-319:

HIPAA has existed and required encryption, infosec programs, and a host of other security measures for over two decades. This is a ****up that can be traced to lack of enforcement … and short cuts on the insurer’s side.

Insurance providers are explicitly Covered Entities. … HIPAA is a very broad statute. … If they pay costs associated with care, they are a Covered Entity. If they handle HIPAA transactions and code sets, and do any transformations for billing, they are a Clearinghouse and a Covered Entity. If they process data for a covered entity, they are a Business Associate and are subject to the security rule in its entirety and portions of the privacy rule.

Could this be the catalyst we need for action? Arr2Pew2 sounds slightly cynical:

This is great news! … We might finally see some action on data breaches.

Who am I kidding? This changes nothing 🙃

As is sekh60:

Nothing of note happened to Equifax for credit data. Who wants to bet these guys face some serious repercussions for exposing data of the ruling class?

However, jmch is a bit more glass half full:

I hope there is a silver lining in there somewhere that will get representatives and senators to look beyond their partisan goggles and the interests of their lobbying fund-masters to understand that everyone’s personal data needs more protection, and not only from it being stolen but also from being hoovered up in large quantities just because it’s possible.

But u/WhileNotLurking finds that hard to believe:

Seriously go look at how poorly HIPPA is written or basically any other technology standard the government uses. For many systems the federal compliance standards are weaker than what you could do commercially, because they were written ages ago and have not been updated.

Meanwhile, GMoney shoots and scores: [You’re fired—Ed.]

You would think that this would help them come up with better legislation about how data should be secured and what data should be stored/retained long term (because 99% of it doesn’t have to be). But we all know that absolutely nothing meaningful will happen.

And Finally:

Some Austrian tosh about Edgar Allen Poe

Hat tip: garold

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Maria Oswalt (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 618 posts and counting.See all posts by richi