Congress Exposed in PHI-Related Data Breach

May 26, 2023


How far can cybercriminals go?

Can they breach your home network?

Could they get through your work computers?

What about big organizations? What if they climbed all the way up to the United States government?

That’s not a hypothetical. In recent years, data breaches have consistently plagued individuals, organizations and governments of all sizes, all over the world. Recently DC Health Link, a dominant health insurance marketplace in Washington DC, announced a data breach that potentially affected the PHI of over 56K customers — many of whom work in or around Congress.

What Is PHI?

To understand the scope of this attack, first you need to know what PHI is. Protected Health Information encompasses all health-related information that is collected, stored and shared. All workers in the healthcare industry are duty-bound to protect the privacy of your PHI by the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which established the first regulations about how to safeguard digitized PHI from unauthorized access.

Much like personally identifiable information (PII), PHI includes personal information like your name, address and Social Security number. Unlike PII, however, your protected health information also encompasses things like your medical records, insurance, X-rays and scans; all data that medical professionals need to conduct their business, but you wouldn’t want in the hands of someone you don’t know.

If you’re in a position of authority — like say, a sitting United States Congressman — concerns only multiply. Not only could the leaked PHI help a criminal impersonate or victimize you, but your public service only amplifies your name…and the target on your back.

What Happened to Congress?

Out of the 100K members who carry insurance through DC Health Link, over 10% are Congress members or staff. This is a twofold concern; firstly for the physical and digital safety of the those who had their information leaked, and secondly for how an attack weaponizing that information could impact national security.

Private information leaked in the breach includes Social Security numbers, birthdays, health plan information, employment details, citizenship status, race, gender and contact information. In mid-May, any or all of that data was exposed, affecting at least 56,415 customers. Thus far, 17 former or current Congressmen have been confirmed to have had data exposed in the leak and more are expected to join that number. Some Senators have potentially been exposed as well.

Many of the leaked records have already appeared for sale on the Dark Web. DC Health Link has offered its customers three years of dark web, identity and credit monitoring services that track all three credit bureaus. Despite this, a class action lawsuit has been brought against them seeking to increase audits, automate better security provisions, and improve their internal cybersecurity posture.

Protecting PHI

Do you handle others’ PHI in the course of your workday? It’s not just healthcare professionals who have to pay attention; business associates of these providers could also manage client data while they’re undergoing their own operations. Think about lawyers investigating medical malpractice suits, the third-party services a hospital uses to back up its data, and even traveling medical professionals coming in and out as needed.

Organizations must have stringent security measures in place! This includes securing networks and databases, encrypting systems for storing PHI, and establishing various access levels that protect it from unauthorized eyes. Of course, that’s only the tip of the iceberg.

PHI must be kept secure and only accessible to those who need it in order to provide care or perform administrative tasks related to health care services. Understanding the regulations surrounding PHI is important for healthcare organizations in order to ensure compliance to HIPAA and other data privacy regulations.


This leak of information on Congress members and staff is worrisome, but not new. Attacks on major databases, like your healthcare provider, are an efficient means to steal private information on a lot of people at once. The authoritative position these particular victims carry was simply an added draw for the threat actors at fault.

Insufficient cybersecurity has major consequences: Reputational, financial and legal. This incident demonstrates just how deep the damage can go.

Who’s in charge of your PHI? Do you know how well-protected it is within their systems? It’s not too late to better secure your protected health information and your personally identifiable information. The more you know about the threats posed to your data, the smarter decisions you can make about it.


Most Recent Post


Our Exclusive FREE Cybersecurity Toolkit

Stay Secure with Top Free Cybersecurity Apps and Tools Recommended by PlanIT

In today’s digital age, protecting your online presence is more critical than ever. That’s why we’re excited to offer you our exclusive Cybersecurity Toolkit for FREE – to arm you with the essential tools and knowledge to safeguard your data and privacy.

Why You Need This Toolkit?

Protect Sensitive Information: Keep your personal and financial data safe from hackers and cybercriminals.

Enhance Digital Privacy: Shield your online activities from prying eyes and maintain your privacy.

Prevent Cyber Attacks: Equip yourself with the knowledge and tools to prevent and respond to cyber threats.

Peace of Mind: Enjoy the confidence that comes with knowing your digital life is secure.

Related Articles

iPhone Running Slow? Speed It up with One of These Tips

iPhone Running Slow? Speed It up with One of These Tips

Let's face it, iPhones are amazing devices. But even the sleekest, most powerful iPhone can succumb to the dreaded slowdown. Apps take forever to load and scrolling feels sluggish. Pretty soon, simple tasks become frustrating ordeals.If your iPhone has gone from...

Is Your Business Losing Money Because Employees Can’t Use Tech?

Is Your Business Losing Money Because Employees Can’t Use Tech?

Shiny new tech can be exciting! It promises increased efficiency, happier employees, and a competitive edge. It’s also necessary to stay competitive in today’s technology-driven business world.But that promise can turn into a financial nightmare if you neglect two...

10 Easy Steps to Building a Culture of Cyber Awareness

10 Easy Steps to Building a Culture of Cyber Awareness

Cyberattacks are a constant threat in today's digital world. Phishing emails, malware downloads, and data breaches. They can cripple businesses and devastate personal lives.Employee error is the reason many threats get introduced to a business network. A lack of...