Data Breach

Incident Response Updates

As a result of our investigation, DC Health Link has identified two distinct groups – (Group 1) individuals we know were impacted by the data breach because their information was taken and posted publicly and (Group 2) individuals whose information we now know was stored in the same manner as the first group but we do not have actual evidence that information for Group 2 was compromised. Please find a description of these groups below, along with DC Health Link’s plan to notify them and provide free identity and credit monitoring services.

IF YOU ARE VISITING THIS PAGE FOR THE FIRST TIME, PLEASE CHECK YOUR DC HEALTH LINK ACCOUNT TO SEE IF YOU QUALIFY FOR FREE IDENTITY AND CREDIT MONITORING SERVICES:

  • Group 1: Individuals whom we know were impacted because their information was taken and posted publicly. We provided a notice through their DC Health Link account on Thursday, March 9. All people in Group 1 were provided with three years of free identity and credit monitoring services. The three years of monitoring protection includes all enrolled dependents, spouses, and children.
  • Group 2: Individuals whose information we now know was stored in the same manner as those in Group 1. These individuals are being notified in an abundance of caution as we cannot say with certainty their information was compromised because we have no evidence of access or download. We expect to complete the data review and notification process in the coming days. Everyone in Group 2 will receive a notice in their DC Health Link account. All individuals in Group 2 will also be provided with three years of free identity and credit monitoring services. The three years of monitoring protection includes all enrolled dependents, spouses, and children.

The issue which led to this data breach has been identified and eliminated. DC Health Link is working with third party forensic experts to conduct a comprehensive review and to strengthen our security defenses.

Data Breach Update

The DC Health Benefit Exchange Authority takes the data breach of enrollee information very seriously. On Monday, March 6, 2023 upon becoming aware of the incident, we immediately launched an investigation, began working with law enforcement, and engaged a third-party forensics firm – Mandiant. While our investigation is ongoing, we’d like to provide an update on the current situation.

There are 56,415 customers impacted. The data fields include the following, although not all data fields were necessarily included for each enrollee: name, Social Security number, date of birth, gender, health plan information (e.g. plan name, carrier name, premium amounts, employer contribution, and coverage dates), employer information, enrollee information (e.g. address, email, phone number, race, ethnicity, and citizenship status).

We recognize the seriousness of this incident and we have reached out to impacted enrollees to provide three years of free identity and credit monitoring for all three major credit bureaus. The three years of monitoring protection includes all enrolled dependents, spouses and children. In addition, and out of an abundance of caution, we are offering the same three years of monitoring to all other customers, who were not impacted.

We can confirm reports that data for some DC Health Link customers has been exposed on a public forum. We have initiated a comprehensive investigation and are working with forensic investigators and law enforcement. Concurrently, we are taking action to ensure the security and privacy of our users’ personal information. We are in the process of notifying impacted customers and will provide identity and credit monitoring services. In addition, and out of an abundance of caution, we will also provide credit monitoring services for all of our customers. The investigation is still ongoing and we will provide more information as we have more to share.

Frequently Asked Questions (FAQs) March 14, 2023

On Monday, March 6 the DC Health Benefit Exchange Authority (“DC Health Link”) received notice that data for some DC Health Link individuals had been published on a data breach forum. DC Health Link immediately launched a comprehensive investigation, began working with law enforcement, and engaged a third-party expert forensics firm, to investigate.
The issue which led to this data breach has been identified and eliminated.

DC Health Link is notifying all affected individuals and providing three years of identity and credit monitoring for all three major credit bureaus. The three years of monitoring protection includes all enrolled dependents, spouses, and children.

DC Health Link is sending affected individuals notice via their DC Health Link account.

The data fields include the following, although not all data fields were necessarily included for each individual: name, Social Security number, date of birth, gender, health plan information (e.g., plan name, carrier name, premium amounts, employer contribution, and coverage dates), employer information, enrollee information (e.g., address, email, phone number, race, ethnicity, and citizenship status).

We are working with the expert forensics firm Mandiant to do a comprehensive review of our security measures and controls, and we will be implementing new protocols going forward.

We understand that the data exposed contained personal information, and we do not take that lightly. That’s why we acted quickly to notify affected individuals and to provide them with identity and credit monitoring protection.