The HealthCare.gov website that had an error-plagued debut last year was hacked in July, although no personal data appear to have been taken, according to the U.S. Centers for Medicare and Medicaid Services.
The attack, discovered Aug. 25 and disclosed yesterday, marks the first known intrusion into the federally run website. The breach revived complaints from Republican lawmakers about the online portal through which consumers shop for health insurance as required under the 2010 Affordable Care Act.
“Our review indicates that the server did not contain consumer personal information,” Aaron Albright, an agency spokesman, said yesterday in an e-mailed statement. “We have taken measures to further strengthen security.”
Last year, programming and hardware errors kept the website from working for most Americans for two months after it went live as part of the rollout of the 2010 law, also known as Obamacare. Health and Human Services Secretary Kathleen Sebelius publicly acknowledged it was a “debacle,” and she resigned from the department, which oversees CMS, on April 10.
The July attack exploited a test server used to support the website and was never intended to be connected to the Internet, Albright said. The server was protected with only a default password.
“Shame on the U.S. government for allowing this to happen,” Jon Clay, a security manager with the network security company Trend Micro Inc. (TMICY), said in a phone interview. “We paid how many millions to put this thing up and a default password was used on a server?”
One of the first things a hacker will do after getting inside a network is check for default passwords, Clay said. A default password, often a simple word such as “admin,” is established by developers and is intended to be changed by a user for security.
“Even if it’s not connected to the Internet, if it’s connected to the network that other Internet-facing systems are on, then its connected to the Internet,” Clay said. “You have to ask where is the auditing being done to audit all the systems that are in place within that network.”
The Homeland Security Department investigated the attack, agency spokesman S.Y. Lee said in an e-mail.
The department concluded that one machine was infected with malware intended to attack other websites with denial-of-service attacks that flood servers with traffic to knock them offline.
Representative Darrell Issa, a California Republican and chairman of the House Oversight and Government Reform Committee, seized on the attack and called on CMS Administrator Marilyn Tavenner to testify before his panel on Sept. 18.
“For nearly a year, the administration has dismissed concerns about the security of healthcare.gov, even as it obstructed congressional oversight of the issue,” Issa said in a statement.