Obamacare website hacked in "denial of service" attack

According to the HHS, no personal information was stolen from HealthCare.gov

By Joanna Rothkopf

Published September 5, 2014 2:33PM (EDT)

    (<a href='url to photographer'>txking</a> via <a href='http://www.shutterstock.com/'>Shutterstock</a>)
(txking via Shutterstock)

On Thursday, White House officials announced that the government's online health insurance marketplace, and object of misplaced conservative rage, HealthCare.gov, had been hacked, although no personal information was taken.

"Our review indicates that the server did not contain consumer personal information, data was not transmitted outside the agency and the website was not specifically targeted," said Aaron Albright, a spokesperson for the Centers for Medicare and Medicaid Services. "We have taken measures to further strengthen the security."

The New York Times' Robert Pear and Nicole Perlroth report:

Mr. Albright said the hacking was made possible by several security weaknesses. The test server should not have been connected to the Internet, he said, and it came from the manufacturer with a default password that had not been changed.

In addition, he said, the server was not subject to regular security scans as it should have been.

The security of HealthCare.gov, which serves residents of 36 states, has been a major concern for some members of Congress, particularly Republicans.

Congressional investigators found that administration officials, eager to begin enrollment on Oct. 1, activated the website even though its security had not been fully tested and did not meet federal standards. This created a potentially "high risk" for the exchange, according to a memorandum prepared by security experts at the Medicare agency.

The specific malware uploaded to the server was not designed to steal personal information; rather, to incapacitate other websites, something known as a "denial of service" attack, which is so common it is attempted 28 times an hour. The Department of Health and Human Services said the security breach would not have an effect on the enrollment process, which will begin on Nov. 15.

According to Time, these types of government security breaches are not uncommon. "If this happened anywhere other than HealthCare.gov, it wouldn't be news," said a senior Department of Homeland Security official.

Joanna Rothkopf

MORE FROM Joanna RothkopfFOLLOW @joannarothkopf

Related Topics ------------------------------------------

Hackers Healthcare.gov Obamacare Security