HealthCare.gov Server HackedHHS: No Consumer Data Exposed in Intrusion
Hackers uploaded malware to a test server for the Obamacare insurance exchange website HealthCare.gov in July, federal officials confirm.
The Department of Health and Human Services' Centers for Medicare and Medicaid Services, in a statement provided to Information Security Media Group on Sept. 4, says, "Today, we briefed key Congressional staff about an intrusion on a test server that supports HealthCare.gov. Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted. We have taken measures to further strengthen security."
An HHS official tells ISMG that on August 25, a CMS security team noticed an anomaly via the system security logs of one of the servers on the system. Upon further investigation, the team found malicious files on a test server used to support the site.
The HHS Office of Inspector General and HHS leadership, including the department's Computer Security Incident Response Center, assisted in assessing this incident. Teams from Department of Homeland Security, including the U.S. Computer Emergency Readiness Team (U.S.-CERT) are also assisting in the response, the HHS official says.
Based on the analysis of the intrusion and additional attempted intrusions on other government and private sector sites, the agency says it doesn't believe HealthCare.gov was targeted, the official says.
The malware uploaded on the test server was designed to launch a distributed-denial-of-service attack against other websites when activated and not designed to exfiltrate PII, the HHS official says.
According to HHS network traffic analysis, HHS see no evidence that information was communicated to any external IP address, and the test server did not contain PII, the official says. "There is also no evidence that the intrusion took place on other HHS servers," the official says. "All of these conclusions are shared by the federal partners who helped investigate this matter - DHS and the FBI, among others."
The event will have no impact on the second open enrollment period on HealthCare.gov, slated to begin this fall, the HHS official says.
"Even as the investigation continues, we are doing a comprehensive review of security improvements and upgrades, and we immediately moved to block the malicious domains," the HHS official says. "As we have all seen with the private sector, we are in an environment where these types of cyber-attacks will continue and will look for both remediation and proactive steps to protect the security of HealthCare.gov."
Department of Homeland Security spokesman SY Lee tells ISMG that DHS's National Cybersecurity and Communications Center requested that the United States Computer Emergency Response Team, also a DHS unit, work with HHS to analyze and mitigate the effects of the DDoS malware package. "There is no indication that any data was compromised at this time," Lee says.
U.S.-CERT forensically preserved computers thought to be affected by the suspected intrusion, according to a DHS official. U.S.-CERT analyzed the computers and identified and extracted a malicious software package designed for use in DDoS attacks. "U.S.-CERT analysis indicated that the scope of the malicious activity was limited to one machine and had no impact on other assets or information on the network," the official says.
The DHS official also downplayed the significance of the intrusion, noting that last year federal agencies, critical infrastructure providers and DHS industry partners experienced 620 cyber-incidents a day.
The hacking of a HealthCare.gov test server comes as the website continues to face scrutiny by government watchdog agencies and Congress.
A Government Accountability Office report released on July 30 says the oversight and governance practices of the Centers for Medicare and Medicaid Services were ineffective in the development of HealthCare.gov and its systems.
Meanwhile, the GAO is continuing work on a separate examination of HealthCare.gov's privacy and security measures to address a request made by Rep. Lamar Smith, chair of the House Science, Space and Technology Committee, for a security review.
Political opponents and supporters of Obamacare didn't waste time responding to the cyber-intrusion to push their political agendas. "Sadly, the news that HealthCare.gov has been hacked does not come as a surprise," says Obamacare opponent Rep. Joe Pitts, the Pennsylvania Republican who chairs the House Energy and Commerce Health Subcommittee. "The administration has been reckless in its implementation of the [Obamacare] law, relying on a faulty and incomplete website from the get-go."
Obamacare supporter Sen. Tom Carper, D-Del., characterizes the breach as "deeply troubling and underscores the scary reality of how much of a target our sensitive information has become in cyberspace."
"It is critical that Congress work with the Administration and stakeholders to reform our laws to better combat attacks from malicious actors and comprehensively address our serious cyber challenges to protect our nation, its people, its critical infrastructure, and its economy," says Carper, who chairs the Senate Homeland Security and Governmental Affairs Committee and is sponsor of legislation to toughen federal government IT security. "We can't afford more delay on this issue."(Executive Editor Eric Chabrow contributed reporting to this report.)