A test server was compromised but no user data lost, government officials say. And security experts wonder why a default password was used at Healthcare.gov.
The Healthcare.gov Website was breached in an attack, but government officials claim no personal information was stolen. The attack, disclosed
in The Wall Street Journal
Sept. 4, reportedly occurred in July but it wasn't noticed by government officials until Aug. 25.
The attack was targeted at a test server, where development code is first loaded for Healthcare.gov
. According to the government, there is no indication at this point that any user information was stolen, but the attacker was able to load malware onto the site.
The malware in question was apparently a form of denial-of-service software, according to a statement
the Department of Homeland Security sent to The Washington Post.
"The National Cybersecurity & Communications Integration Center's (NCCIC), US-CERT worked with HHS to analyze and mitigate the effects of a Distributed Denial of Service malware package and there is no indication that any data was compromised at this time," DHS spokesman S.Y. Lee said in the statement.
The evidence points to the test server in question as using a default username and password combination, which enabled the attacker to gain access.
"While it's great to hear that this impacted server doesn't seem to have directly impacted users' personal data, it is concerning that such a related server could have been using a default password, as is being reported at this time," Mark Stanislav, security evangelist at Duo Security
, wrote in an email to eWEEK
. "Any system related to Healthcare.gov should be treated with great focus on security, including two-factor authentication and other proper security controls."
Eric Cowperthwaite, vice president of advanced security and strategy at Core Security
, also questioned why a default password was being used at Healthcare.gov
Cowperthwaite is no stranger to the world of health care IT security. Prior to joining Core Security in September 2013, he was chief information security officer of Providence Health and Services.
"A basic security flaw went overlooked, and it was assumed that because the system in question wasn't supposed to be connected to the Internet, it wasn't high priority and didn't warrant continuous monitoring," Cowperthwaite said in an email to eWEEK
. "But accidentally connecting a system like this to the Internet happens all the time."
The security posture of Healthcare.gov
has been an ongoing concern since the site launched in October 2013. Initially, the Healthcare.gov
site was plagued by accessibility delays
that prevented Americans from signing up. At the time of the initial launch, multiple security experts contacted by eWEEK raised concerns
about the platform's security.
According to a report
in The New York Times
, U.S. lawmakers are also saying, "I told you so" about the Healthcare.gov breach.
"Despite numerous warnings from myself and other lawmakers that security breaches were possible, Healthcare.gov underwent virtually no independent security testing before it went live," Senator Orrin G. Hatch (R-Utah) said in The Times
Sean Michael Kerner is a senior editor at
InternetNews.com. Follow him on Twitter @TechJournalist