A computer server hosting information for Healthcare.gov, the flagship Obamacare website that millions of Americans have trusted with their social security numbers, income totals and other sensitive personal information, was the subject of a hacker attack earlier this summer, officials said Thursday.
The federal government wasn’t aware it had been hacked on July 8 until just ten days ago.
The admission is fueling fires on Capitol Hill.
The powerful House Oversight and Government Reform Committee announced Thursday afternoon that it has ordered Centers for Medicare and Medicaid Services (CMS) chief Marilyn Tavenner to testify in a September 18 hearing about the Obamacare website’s security lapses.
Considering this administration launched Healthcare.gov over the objections of CMS, it’s unsurprising that the website has suffered a “malicious attack”,’ said committee chairman Darrell Issa, a California Republican lawmaker.
‘For nearly a year, the administration has dismissed concerns about the security of Healthcare.gov, even as it obstructed congressional oversight of the issue. … Tavenner must testify on the subject of transparency, accountability, and information security alongside the Government Accountability Office at our September 18th hearing.’
A congressional staffer told MailOnline that a briefing from Tavenner’s agency revealed that malicious code inserted by the hackers was still dormant when technicians discovered it on August 25.
HHS and Department of Homeland Security investigators said there was no evidence consumer information was compromised, but conceded that some of the Internet addresses where the attacks originated were located overseas.
This isn’t the first computer security flaw found in Healthcare.gov’s miles of code. In late October 2013, just four weeks after the website was switched on and became a butt of jokes for its crash-prone flailing, a private software tester showed it was easy to hijack an account by resetting its password.
Another computer glitch temporarily caused Healthcare.gov users to see endless strings of garbled text instead of words when they tried to log into the system last November.
A security expert told MailOnline at the time that the flaw was evidence that the sprawling federal government shouldn’t be trusted with such a wide-ranging project that could leave millions of people without recourse if skeptics’ worst fears were realized.
In this case, however, government officials claim sensitive information was never at risk.
‘Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted,’ the Centers for Medicare and Medicaid Services said in a statement. ‘We have taken measures to further strengthen security.’
An FBI official told The Wall Street Journal that although some of the HHS server’s attackers were believed to be foreigners, the government doesn’t believe a state-sponsored operation, like those well-documented to have come from China, was behind it.
Because of a security flaw, a server that was not supposed to be accessible from the Internet was available accessed was not meant to be connected to the Internet, the Journal reported.
‘There was a door left open,’ an official told the newspaper.
That door was a password that was still set to its default factory-fresh value when hackers probed it.
A senior Homeland Security official told the Journal that ‘if this happened anywhere other than Healthcare.gov, it wouldn’t be news’ – a chilling suggestion that government servers are vulnerable more frequently than Americans know.
The attacked Obamacare server has been disconnected from other systems, officials said Thursday, and retired from use.
Tennessee Sen. Lamar Alexander, the Senate health committee’s senior Republican, blasted HHS on Thursday as more details of the tech failure emerged.
‘This security failure is unacceptable – this administration has an obligation to keep Americans’ personal information safe and secure from computer hackers,’
Alexander said in a statement, and default passwords won’t cut it.’
‘In the coming days, I will be seeking information from Secretary Burwell on how she plans to guard against this kind of security breach.’
The code inserted by the unknown hackers was of the type intended to lay in waiting, like a terrorist sleeper-cell, until it’s called upon later to bombard other servers with repeated requests designed to slow it down.
National Review reported Thursday that computer systems tied to state-based health insurance exchanges have also been targeted by malicious overseas hackers.
In one case, the magazine recounted, ‘a Romanian hacker gained access to the health exchange’s development server for a month’ before software developers managed to find out.
