A portion of the Healthcare.gov website was breached in July when hackers uploaded malicious software to a test server, government officials said Thursday. The intrusion was discovered last week by the security team at the Centers for Medicare and Medicaid Services, a unit of Department of Health and Human Services.
“Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted," HHS said in a written statement. "We have taken measures to further strengthen security.” The incident was first reported by the Wall Street Journal.
Officials at HHS say the server was not meant to be connected to the Internet and could not be used to reach other servers and parts of HealthCare.gov, the insurance enrollment portal serving 36 states. The malware uploaded to the system was not specifically designed to target the site -- instead, it was a boilerplate botnet package hackers often use to launch attacks on other Web sites and knock them offline, according to HHS officials.
Teams from the Department of Homeland Security are helping investigate the intrusion and confirmed the nature of the malware. "The National Cybersecurity & Communications Integration Center’s (NCCIC), US-CERT worked with HHS to analyze and mitigate the effects of a Distributed Denial of Service malware package and there is no indication that any data was compromised at this time," said DHS spokesman S.Y. Lee. "DHS will continue to monitor the situation and help develop and implement precautionary mitigation strategies as necessary.”
As the investigation continues, HHS officials say the agency is doing a comprehensive review of security practices. But the intrusion is a reminder that government IT systems can be prone to the same cyber threats facing everyday consumers and major U.S. businesses -- like Home Depot, which acknowledged earlier this week it is investigating "unusual activity" at its stores.
Healthcare.gov launched with severe technical difficulties last fall, and cybersecurity experts have warned Congress the system is vulnerable to hacking.
Congressional Republicans, who led investigations into the Web site’s security after its troubled launch last year, criticized the administration on Thursday.
“IT experts have long warned about the lack of security built into the federal Obamacare website,” U.S. Rep. Diane Black (R, Tenn.) said in a written statement about the intrusion. “The vast amount of personal information that Americans are required to put into this site is an open invitation for hackers."
House Oversight and Government Reform Committee Chairman Darrell Issa (R-Calif.) announced Thursday that CMS Administrator Marilyn Tavenner, whose agency oversees HealthCare.gov, will testify about the breach of the Web site on Sept. 18.
“Considering this Administration launched healthcare.gov over the objections of CMS, it’s unsurprising that the website has suffered a ‘malicious attack,’” Issa said in a statement.
This is the first known hack of the site, which overcame a terrible launch to enroll 5.4 million people in 2014 health insurance plans. Federal officials are gearing up for the next open enrollment period, scheduled to start Nov. 15.
Trey Ford, a global security strategist at cybersecurity company Rapid7, said the breach is concerning. "While the backstory on how this vulnerability was identified indicates that this attacker was not specifically targeting Healthcare.gov, it’s important to be aware that this website and IP range is a high value target for a number of attackers.”
"I would assume that the test servers are configured in a way that reflects the production environment," he said in a written statement. "Depending on what data was used in the testing environment, this could be a bigger deal than we know. "
Have more to say on this topic? Join us today for our weekly live chat, Switchback. We'll kick things off at 11 a.m. Eastern. You can submit your questions now, right here.