US government officials have confirmed that a hacker was able to access the Healthcare.gov earlier this year and upload malicious software to the insurance website. The breach, which was only discovered by the Department of Health and Human Services last week, took place in July. The officials reported the hack marked the first successful attack on Healthcare.gov, but specified the hacker wasn't specifically targeting the site, and that no personal records of the 5.4 million people who have used the site to buy health insurance since it launched were stolen.
The hacker reportedly uploaded malware that would allow Healthcare.gov's server to be used as a weapon in a DDoS (distributed denial of service) attack. With the software uploaded, the insurance portal could be coerced into sending huge amounts of traffic to other websites, taking them offline for extended periods of time. The hack was investigated by the Department of Homeland Security itself with help from the FBI and NSA. The agencies have reportedly traced the origin of the attack to IP addresses located outside the US, but they don't believe it was carried out by state-supported hackers.
The hacker uploaded malicious software to Healthcare.gov
A senior DHS official clarified that such attacks are common, saying "if this happened anywhere other than HealthCare.gov, it wouldn't be news." But The Wall Street Journal reports that Washington officials are nervy after the breach, which was made possible when a section of the site that was not meant to be connected to the internet was made accessible online while guarded by a simple default password. While no data was apparently stolen, the attack is still damaging: Healthcare.gov is preparing to offer open enrollment this coming November, and the apparent lack of security will be another stick with which Republican opponents to President Obama's healthcare reforms can beat the campaign after its troubled rollout.