HealthCare.gov breached, injected with malware

Federal health officials have discovered that the woebegone US insurance exchange site HealthCare.gov was breached in July when an intruder uploaded malware with the apparent motive of using the system to launch cyberattacks against other sites.

No personal data was taken during the break-in, which was discovered late last month and first reported by The Wall Street Journal.

The news should surprise nobody.

Back in November, four cybersecurity experts told Congress that given the site’s security issues, US citizens shouldn’t use HealthCare.gov.

If it hadn’t been hacked already, it would be soon, they said.

This is the first successful, confirmed breach at HealthCare.gov, which went through a wobbly launch last year.

The federal agency responsible for the site, the Department of Health and Human Services (HHS), told news agencies that officials discovered the breach after noticing a problem with a test server.

The FBI and Department of Homeland Security were called in to investigate the attack, and Congressional staffers were briefed on 28 August.

The attackers didn’t single out the so-called “Obamacare” site, HHS said in its statement:

Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted. We have taken measures to further strengthen security.

That points to the possibility that the affected test server was collateral damage in a broad campaign to sniff for vulnerabilities at government and private sites.

Government officials said that intruders uploaded common malware that’s designed to knock out other sites in denial-of-service (DoS) attacks, not to steal people’s individual data.

The healthcare program, and its associated site, is widely despised by Republicans, who are using the breach as fodder for lambasting.

One such foe is Republican Representative Diane Black, of Tennessee, who took the administration to task on Thursday, warning that HealthCare.gov is “an open invitation for hackers” because of the amount of personal information it handles and that the administration is under “no obligation” to disclose a breach even if personal information had been leaked:

While HHS says that this time there was no sensitive personal information that was compromised, due to negligence on the part of the Administration and the Democrat-led Senate, they would be under no obligation to disclose if sensitive personal information were breached.

She urged the Senate to follow the House’s lead and pass a bill – the Health Exchange Security and Transparency Act – that would require HHS to notify people if their information is stolen from the site.

The House Ways and Means subcommittee on health has already scheduled a hearing on the implementation of the Affordable Care Act on Wednesday – perfect timing for politicos to ask questions about the security failure.

Image of syringes courtesy of Shutterstock.