A hacker breached part of the federal Obamacare website HealthCare.gov in July, The Wall Street Journal reported Thursday.
It’s the first successful hack of HealthCare.gov, according to officials, but federal investigators don’t believe any of consumers’ personal data was stolen.
The hacker broke into a server used to test code for HealthCare.gov and uploaded malicious software. In this type of attack, a denial of service attack, malware is uploaded into the HealthCare.gov server so that it can be used in future cyberattacks against other websites. The malware used lets hackers direct a rush of traffic at another website to make it go offline.
“Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted,” the Department of Health and Human Services said in a statement. “We have taken measures to further strengthen security.”
HHS officials have brief the White House and congressional staff and the Department of Homeland Security, the Federal Bureau of Investigation and the National Security Agency have all taken part in the ongoing investigation.
“There is no indication that any data was compromised at this time,” DHS spokesman S.Y. Lee said in a statement. “DHS will continue to monitor the situation and help develop and implement precautionary mitigation strategies as necessary.”
The FBI traced the hack to several Internet addresses, including some that were overseas, but doesn’t believe the attack was backed by a foreign state.
But The Wall Street Journal reports that the hacker gained accesss to HealthCare.gov’s servers much too easily. HHS officials told The WSJ that a basic security flaw left the Obamacare webiste open to attack. The server, which contained only test code, had low security settings because officials didn’t intend to connect it to the Internet; when the hacker accessed the server, it was protected by only an easy-to-crack default password.
“There was a door left open,” the official told WSJ.
Congress and cybersecurity experts have long worried about the cybersecurity of HealthCare.gov. The website collects and transfers a treasure trove of personal and identifying information about consumers who use the exchange, amassing data from many federal agencies. Social Security numbers, financial and income information, personally identifying information and even limited health status data are all collected by Healthcare.gov servers.