By Danny Yadron
A hacker broke into part of the HealthCare.gov insurance enrollment website in July and uploaded malicious
software, according to federal officials.
Investigators found no evidence that consumers' personal data were taken or viewed during the breach, federal
officials said. The hacker appears only to have gained access to a server used to test code for HealthCare.gov, the
The server was connected to more sensitive parts of the website that had better security protections, the officials
said. That means it would have been possible, if difficult, for the intruder to move through the network and try to view
more protected information, an official at the Department of Health and Human Services said. There is no indication that
happened, and investigators suspect the hacker didn't intend to target a HealthCare.gov server.
The prospect nevertheless raised concerns among federal officials because of how easily the intruder gained access
and how much damage could have occurred.
The HHS official said the attack appears to mark the first successful intrusion into the website, where millions of
Americans bought insurance starting last year under the 2010 Affordable Care Act. The agency discovered the attack last
"Our review indicates that the server did not contain consumer personal information; data was not transmitted
outside the agency, and the website was not specifically targeted," HHS said in a written statement. "We have taken
measures to further strengthen security."
The attack comes as the federal government and insurance companies prepare for the second year of open enrollment
to buy health insurance under the law, beginning on Nov. 15. Federal officials said that the incident shouldn't have an
effect on the process, and that the intruder has since been blocked.
The breach could add fresh ammunition to fall election campaigns by Republican lawmakers, who oppose the law and
have criticized its rollout. HealthCare.gov suffered from crippling technology problems when it launched in October,
though the government has since improved the site. Some 5.4 million applicants signed up for health plans via the site
by the end of open enrollment.
Taken with recent cybersecurity incidents at J.P. Morgan Chase & Co., Home Depot Inc. and celebrities' iPhones, the
HealthCare.gov hack further underscores that large organizations haven't yet mastered how to secure troves of data they
collect from consumers.
The White House and congressional staff have been briefed on the matter, officials said. The Department of Homeland
Security, Federal Bureau of Investigation and National Security Agency have aided the investigation, which is active.
The FBI traced the attack to several Internet addresses--some overseas--but doesn't think it is the work of a state-
backed actor, officials said.
"There is no indication that any data was compromised at this time," DHS spokesman S.Y. Lee said in a written
statement. "DHS will continue to monitor the situation and help develop and implement precautionary mitigation
strategies as necessary."
As an insurance-enrollment portal, HealthCare.gov stores deeply personal details on Americans, including Social
Security numbers, financial data and names of family members. None of that appeared to gain the still-unknown hacker's
interest, officials said.
Rather, investigators found that in July, the intruder did just one thing: install malware on a HealthCare.gov
server so it could be used in future cyberattacks against other websites, federal officials said. Hackers often take
over troves of computers and servers to direct mischief traffic at websites. The rush of traffic, known as a denial-of-
service attack, overwhelms the site and knocks it offline.
Such types of cyberattacks are considered a nuisance. If discovered at a private company, it is likely the firm
wouldn't disclose the incident, cybersecurity attorneys have said.
"If this happened anywhere other than HealthCare.gov, it wouldn't be news," a senior DHS official said.
Investigators found the hacker was scanning both federal and private websites for a certain type of server that the
person would then hack. This suggests the hacker wasn't targeting the health-care website, the official said.
Washington officials said they are concerned an intruder gained access to the HealthCare.gov network through a
basic security flaw. The server had low security settings because it was never meant to be connected to the Internet,
the HHS official said. When the hacker broke in, it was only guarded by a default password, which often is easy to
"There was a door left open," the official said.
The department discovered the break-in weeks later on Aug. 25 during a daily security scan. Buried amid lines of
computer log files were data showing the test server had been contacted by the outside Internet, which wasn't supposed
Lawmakers first raised security concerns about HealthCare.gov when it launched nearly a year ago. At the time,
then-HHS Secretary Kathleen Sebelius said the department had a plan in the event of a security breach. Other hacking
attempts reportedly have been made, but none appear to have been successful before this.
"It is full of data that criminals covet," said Rep. Joe Barton (R., Texas), who opposes the health-care law. "
Handing private information over to the government is bad enough. People should at least know it won't fall into the
hands of hackers."
Sen. Tom Carper (D., Del.), chairman of the Senate homeland security panel, called the incident "deeply troubling."
HHS said it has taken cybersecurity seriously since launching HealthCare.gov. The site undergoes quarterly security
audits from Blue Canopy Group LLC, a private security company in Reston, Va. It also undergoes daily security scans and
It couldn't be learned whether the misconfigured server could be linked to any of the several technology
contractors who help set up the website.
Stephanie Armour contributed to this article.
Write to Danny Yadron at firstname.lastname@example.org
Subscribe to WSJ: http://online.wsj.com?mod=djnwires
(END) Dow Jones Newswires
Copyright (c) 2014 Dow Jones & Company, Inc.