Attackers broke into a computer server supporting the US HealthCare.gov website and uploaded malicious files, a government cybersecurity team has discovered.
The Centers for Medicare and Medicaid Services (CMS), the lead Obamacare agency, briefed key congressional staff today about the intrusions, the first of which occurred on July 8, CMS spokesman Aaron Albright said.
The malware uploaded to the server was designed to launch a distributed denial of service (DDoS) attack against other websites, Albright said.
"Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted," Albright said.
"We have taken measures to further strengthen security."
The Office of Inspector General of the Department of Health and Human Services (HHS), CMS's parent agency, and HHS leadership were notified of the attack.
A spokesman for the Department of Homeland Security, which helps investigate cyber attacks, said its Computer Emergency Readiness Team (US-CERT) had forensically preserved the affected server and had identified and extracted the malware designed to launch the DoS attack.
US-CERT analysis indicated only one server was involved. It was not running HealthCare.gov, but was instead used by programmers to test new code before it goes live.
The test server was not supposed to be connected to the internet, but somehow was. In addition, access to it was protected by a default password installed by the manufacturer, said Albright, who declined to say if that default was easily breachable.
Cybersecurity expert David Kennedy, chief executive of the information security firm TrustedSec LLC, said he was unconvinced this was the first successful hack on HealthCare.gov.
"There are fundamental flaws in how they're coding the website and it's going to take a long, long time to fix it," he said.
"It continues to be a really big glaring security hole."