Sept. 5 (Bloomberg) — The HealthCare.gov website that had an error-plagued debut last year was hacked in July, although no personal data appear to have been taken, according to the U.S. Centers for Medicare and Medicaid Services.   The attack, discovered Aug. 25 and disclosed yesterday, marks the first known intrusion into the federally run website. The breach revived complaints from Republican lawmakers about the online portal through which consumers shop for health insurance as required under the 2010 Affordable Care Act.   "Our review indicates that the server did not contain consumer personal information," Aaron Albright, an agency spokesman, said yesterday in an e-mailed statement. "We have taken measures to further strengthen security."   Last year, programming and hardware errors kept the website from working for most Americans for two months after it went live as part of the rollout of the 2010 law, also known as Obamacare. Health and Human Services Secretary Kathleen Sebelius publicly acknowledged it was a "debacle," and she resigned from the department, which oversees CMS, on April 10.   The July attack exploited a test server used to support the website and was never intended to be connected to the Internet, Albright said. The server was protected with only a default password.   "Shame on the U.S. government for allowing this to happen," Jon Clay, a security manager with the network security company Trend Micro Inc., said in a phone interview. "We paid how many millions to put this thing up and a default password was used on a server?"   Homeland security   One of the first things a hacker will do after getting inside a network is check for default passwords, Clay said. A default password, often a simple word such as "admin," is established by developers and is intended to be changed by a user for security.   "Even if it's not connected to the Internet, if it's connected to the network that other Internet-facing systems are on, then its connected to the Internet," Clay said. "You have to ask where is the auditing being done to audit all the systems that are in place within that network."   The Homeland Security Department investigated the attack, agency spokesman S.Y. Lee said in an e-mail.   The department concluded that one machine was infected with malware intended to attack other websites with denial-of-service attacks that flood servers with traffic to knock them offline.   Representative Darrell Issa, a California Republican and chairman of the House Oversight and Government Reform Committee, seized on the attack and called on CMS Administrator Marilyn Tavenner to testify before his panel on Sept. 18.   "For nearly a year, the administration has dismissed concerns about the security of healthcare.gov, even as it obstructed congressional oversight of the issue," Issa said in a statement.

Copyright 2018 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Complete your profile to continue reading and get FREE access to BenefitsPRO, part of your ALM digital membership.

Your access to unlimited BenefitsPRO content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking benefits news and analysis, on-site and via our newsletters and custom alerts
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the property casualty insurance and financial advisory markets on our other ALM sites, PropertyCasualty360 and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.