An unknown hacker or hackers broke into a computer server supporting the HealthCare.gov website through which consumers enroll in Obamacare health insurance, a government cybersecurity team discovered last week, apparently uploading malicious files, according to Reuters.
The Centers for Medicare and Medicaid Services, the lead Obamacare agency, briefed key congressional staff on Thursday about the intrusions, the first of which occurred on July 8, CMS spokesman Aaron Albright said, Reuters reported.
The malware uploaded to the server was designed to launch a distributed denial of service attack against other websites, not to steal personal information, Albright said, according to Reuters. In a DDoS, Internet-connected computers are so overwhelmed by malware attempting to communicate with their website that, unable to handle legitimate requests, they crash.
"Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted," Albright said, Reuters reported. "We have taken measures to further strengthen security."
The Office of Inspector General of the Department of Health and Human Services, CMS's parent agency, and HHS leadership were notified of the attack, which was first reported by the Wall Street Journal, according to Reuters.
The test server was not supposed to be connected to the Internet, but somehow was, Reuters reported. Access to it was protected by a default password installed by the manufacturer, said Albright, who declined to say if that default was 1-2-3-4-5 or something equally breachable.
Cybersecurity expert David Kennedy, chief executive of the information security firm TrustedSec, said he was unconvinced this was the first successful hack on HealthCare.gov, according to Reuters.
"There are fundamental flaws in how they're coding the website and it's going to take a long, long time to fix it," he told Reuters. "It continues to be a really big glaring security hole." It is rare for hackers to upload malware without following through to use it, he added.