On Thursday, HHS officials announced that a hacker in July breached part of HealthCare.gov and uploaded malicious software, the Wall Street Journal reports (Yadron, Wall Street Journal, 9/4).
A team of investigators discovered the breach on Aug. 25 during a routine security scan. HHS officials and HHS Office of Inspector General were immediately notified and worked with the Department of Homeland Security and the U.S. Computer Emergency Readiness Team to respond to the breach (Condon, CBS News, 9/4).
According to an HHS official, the attack appears to be the first successful breach of the website, through which millions of U.S. residents have purchased health insurance coverage since fall 2013.
Details of the Hack
Investigators found no evidence that enrollees’ personal data were taken in the attack. Rather, the hacker accessed a server used to test code for the website (Wall Street Journal, 9/4).
Common malware was uploaded to the test server and designed to incapacitate other websites, a method often referred to as a “denial of service” attack. Government officials say the malware was not intended to steal consumers’ data (Viebeck/Hattem, The Hill, 9/4).
“Our review indicates that the server did not contain consumer personal information; data [were] not transmitted outside the agency, and the website was not specifically targeted,” HHS said, adding, “We have taken measures to further strengthen security” (O’Donnell, USA Today, 9/4).
Rep. Darrell Issa (R-Calif.) — chair of the House Oversight and Government Reform Committee — in a statement said the revelations were “unsurprising” amid previous concerns about the website’s security. He added that the administration repeatedly had “dismissed concerns about the security of HealthCare.gov, even as it obstructed congressional oversight on the issue.” Issa also called on CMS Administrator Marilyn Tavenner to testify alongside GAO officials before the committee on Sept. 18 (Hattem, The Hill, 9/4).
Meanwhile, Rep. Diane Black (R-Tenn.) called on the Senate to join the House in passing the Health Exchange Security and Transparency Act (HR 3811), which would require the federal government to notify individuals if their personal information has been breached (Black release, 9/4).