Obamacare Website Hacking Left Personal Data Intact, U.S. Says

(Bloomberg) – The HealthCare.gov website that had a problem-plagued debut last year was hacked in July, although no personal data appear to have been taken, according to the U.S. Centers for Medicare and Medicaid Services.

The attack, which was discovered Aug. 25, marks the first known intrusion into HealthCare.gov and revived complaints about the federally operated website through which consumers shop for health insurance required under the 2010 Affordable Care Act.

“Our review indicates that the server did not contain consumer personal information,” Aaron Albright, an agency spokesman, said in an e-mailed statement. “We have taken measures to further strengthen security.”

Last year, programming and hardware errors prevented the site from working for most Americans for two months after it went live as part of the rollout of the 2010 law, also known as Obamacare. Health and Human Services Secretary Kathleen Sebelius publicly acknowledged the project was a “debacle,” and she resigned from the department, which oversees CMS, on April 10.

The July attack exploited a test server used to support the website and was never intended to be connected to the Internet, Albright said. The server was protected with only a default password.

“Shame on the U.S. government for allowing this to happen,” said Jon Clay, a security manager with the network security company Trend Micro. “We paid how many millions to put this thing up and a default password was used on a server?”

Homeland Security

One of the first things a hacker will do after getting inside a network is check for default passwords, Clay said. A default password, often a simple word such as “admin,” is established by developers and is intended to be changed by a user for security.

“Even if it’s not connected to the Internet, if it’s connected to the network that other Internet-facing systems are on, then its connected to the Internet,” Clay said. “You have to ask where is the auditing being done to audit all the systems that are in place within that network.”

The Homeland Security Department investigated the attack, agency spokesman S.Y Lee said in an e-mail.

The department concluded that one machine was infected with malware intended to attack other websites with denial-of-service attacks that flood servers with traffic to knock them offline.

Representative Darrell Issa, a California Republican and chairman of the House Oversight and Government Reform Committee, seized on the attack and demanded that CMS Administrator Marilyn Tavenner testify before his panel on Sept. 18.

“For nearly a year, the administration has dismissed concerns about the security of Healthcare.gov, even as it obstructed congressional oversight of the issue,” Issa said in a statement.

For reprint and licensing requests for this article, click here.