Hacker Breached HealthCare.gov Insurance Site

By Dow Jones Business News, 
A A A


By Danny Yadron

A hacker broke into part of the HealthCare.gov insurance enrollment website in July and uploaded malicious software, according to federal officials.

Investigators found no evidence that consumers' personal data were taken or viewed during the breach, federal officials said. The hacker appears only to have gained access to a server used to test code for HealthCare.gov, the officials said.

The server was connected to more sensitive parts of the website that had better security protections, the officials said. That means it would have been possible, if difficult, for the intruder to move through the network and try to view more protected information, an official at the Department of Health and Human Services said. There is no indication that happened, and investigators suspect the hacker didn't intend to target a HealthCare.gov server.

The prospect nevertheless raised concerns among federal officials because of how easily the intruder gained access and how much damage could have occurred.

The HHS official said the attack appears to mark the first successful intrusion into the website, where millions of Americans bought insurance starting last year under the 2010 Affordable Care Act. The agency discovered the attack last week.

"Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted," HHS said in a written statement. "We have taken measures to further strengthen security."

The attack comes as the federal government and insurance companies prepare for the second year of open enrollment to buy health insurance under the law, beginning on Nov. 15. Federal officials said that the incident shouldn't have an effect on the process, and that the intruder has since been blocked.

The breach could add fresh ammunition to fall election campaigns by Republican lawmakers, who oppose the law and have criticized its rollout. HealthCare.gov suffered from crippling technology problems when it launched in October, though the government has since improved the site. Some 5.4 million applicants signed up for health plans via the site by the end of open enrollment.

Taken with recent cybersecurity incidents at J.P. Morgan Chase & Co., Home Depot Inc. and celebrities' iPhones, the HealthCare.gov hack further underscores that large organizations haven't yet mastered how to secure troves of data they collect from consumers.

The White House and congressional staff have been briefed on the matter, officials said. The Department of Homeland Security, Federal Bureau of Investigation and National Security Agency have aided the investigation, which is active. The FBI traced the attack to several Internet addresses--some overseas--but doesn't think it is the work of a state- backed actor, officials said.

"There is no indication that any data was compromised at this time," DHS spokesman S.Y. Lee said in a written statement. "DHS will continue to monitor the situation and help develop and implement precautionary mitigation strategies as necessary."

As an insurance-enrollment portal, HealthCare.gov stores deeply personal details on Americans, including Social Security numbers, financial data and names of family members. None of that appeared to gain the still-unknown hacker's interest, officials said.

Rather, investigators found that in July, the intruder did just one thing: install malware on a HealthCare.gov server so it could be used in future cyberattacks against other websites, federal officials said. Hackers often take over troves of computers and servers to direct mischief traffic at websites. The rush of traffic, known as a denial-of- service attack, overwhelms the site and knocks it offline.

Such types of cyberattacks are considered a nuisance. If discovered at a private company, it is likely the firm wouldn't disclose the incident, cybersecurity attorneys have said.

"If this happened anywhere other than HealthCare.gov, it wouldn't be news," a senior DHS official said.

Investigators found the hacker was scanning both federal and private websites for a certain type of server that the person would then hack. This suggests the hacker wasn't targeting the health-care website, the official said.

Washington officials said they are concerned an intruder gained access to the HealthCare.gov network through a basic security flaw. The server had low security settings because it was never meant to be connected to the Internet, the HHS official said. When the hacker broke in, it was only guarded by a default password, which often is easy to crack.

"There was a door left open," the official said.

The department discovered the break-in weeks later on Aug. 25 during a daily security scan. Buried amid lines of computer log files were data showing the test server had been contacted by the outside Internet, which wasn't supposed to happen.

Lawmakers first raised security concerns about HealthCare.gov when it launched nearly a year ago. At the time, then-HHS Secretary Kathleen Sebelius said the department had a plan in the event of a security breach. Other hacking attempts reportedly have been made, but none appear to have been successful before this.

"It is full of data that criminals covet," said Rep. Joe Barton (R., Texas), who opposes the health-care law. " Handing private information over to the government is bad enough. People should at least know it won't fall into the hands of hackers."

Sen. Tom Carper (D., Del.), chairman of the Senate homeland security panel, called the incident "deeply troubling."

HHS said it has taken cybersecurity seriously since launching HealthCare.gov. The site undergoes quarterly security audits from Blue Canopy Group LLC, a private security company in Reston, Va. It also undergoes daily security scans and drill-hacking exercises.

It couldn't be learned whether the misconfigured server could be linked to any of the several technology contractors who help set up the website.

Stephanie Armour contributed to this article.

Write to Danny Yadron at danny.yadron@wsj.com

Subscribe to WSJ: http://online.wsj.com?mod=djnwires


  (END) Dow Jones Newswires
  09-04-141951ET
  Copyright (c) 2014 Dow Jones & Company, Inc.


This article appears in: Technology

Referenced Stocks: HD

Dow Jones Business News


More from Dow Jones Business News:

Related Videos

Stocks

Referenced

80%

Most Active by Volume

17,002,230
  • $9.285 ▼ 7.15%
14,687,486
  • $73.98 ▼ 2.48%
8,312,841
  • $16.93 ▼ 0.35%
7,264,667
  • $5.46 ▲ 4%
6,492,242
  • $40.53 ▼ 3.68%
5,798,022
  • $4.8099 ▼ 10.60%
5,599,681
  • $2.89 ▲ 12.89%
5,482,007
  • $11.30 ▲ 0.80%
As of 10/30/2014, 09:56 AM