Bloomberg the Company & Products

Bloomberg Anywhere Login

Bloomberg

Connecting decision makers to a dynamic network of information, people and ideas, Bloomberg quickly and accurately delivers business and financial information, news and insight around the world.

Company

Financial Products

Enterprise Products

Media

Customer Support

  • Americas

    +1 212 318 2000

  • Europe, Middle East, & Africa

    +44 20 7330 7500

  • Asia Pacific

    +65 6212 1000

Communications

Industry Products

Media Services

Follow Us

Obamacare Website Hacked as U.S. Says Data Wasn’t Taken

Don't Miss Out —
Follow us on:
Obamacare Website
The HealthCare.gov website was hacked in July, although no personal data appear to have been taken, according to the U.S. Centers for Medicare and Medicaid Services. Photographer: Andrew Harrer/Bloomberg

Sept. 5 (Bloomberg) -- The HealthCare.gov website that had an error-plagued debut last year was hacked in July, although no personal data appear to have been taken, according to the U.S. Centers for Medicare and Medicaid Services.

The attack, discovered Aug. 25 and disclosed yesterday, marks the first known intrusion into the federally run website. The breach revived complaints from Republican lawmakers about the online portal through which consumers shop for health insurance as required under the 2010 Affordable Care Act.

“Our review indicates that the server did not contain consumer personal information,” Aaron Albright, an agency spokesman, said yesterday in an e-mailed statement. “We have taken measures to further strengthen security.”

Last year, programming and hardware errors kept the website from working for most Americans for two months after it went live as part of the rollout of the 2010 law, also known as Obamacare. Health and Human Services Secretary Kathleen Sebelius publicly acknowledged it was a “debacle,” and she resigned from the department, which oversees CMS, on April 10.

The July attack exploited a test server used to support the website and was never intended to be connected to the Internet, Albright said. The server was protected with only a default password.

“Shame on the U.S. government for allowing this to happen,” Jon Clay, a security manager with the network security company Trend Micro Inc., said in a phone interview. “We paid how many millions to put this thing up and a default password was used on a server?”

Homeland Security

One of the first things a hacker will do after getting inside a network is check for default passwords, Clay said. A default password, often a simple word such as “admin,” is established by developers and is intended to be changed by a user for security.

“Even if it’s not connected to the Internet, if it’s connected to the network that other Internet-facing systems are on, then its connected to the Internet,” Clay said. “You have to ask where is the auditing being done to audit all the systems that are in place within that network.”

The Homeland Security Department investigated the attack, agency spokesman S.Y. Lee said in an e-mail.

The department concluded that one machine was infected with malware intended to attack other websites with denial-of-service attacks that flood servers with traffic to knock them offline.

Representative Darrell Issa, a California Republican and chairman of the House Oversight and Government Reform Committee, seized on the attack and called on CMS Administrator Marilyn Tavenner to testify before his panel on Sept. 18.

“For nearly a year, the administration has dismissed concerns about the security of healthcare.gov, even as it obstructed congressional oversight of the issue,” Issa said in a statement.

To contact the reporters on this story: Chris Strohm in N at cstrohm1@bloomberg.net; Anna Edney in Washington at aedney@bloomberg.net

To contact the editors responsible for this story: Jon Morgan at jmorgan97@bloomberg.net Justin Blum

Please upgrade your Browser

Your browser is out-of-date. Please download one of these excellent browsers:

Chrome, Firefox, Safari, Opera or Internet Explorer.