A hacker managed to breach cybersecurity at HealthCare.gov and implant malicious code on the federal Obamacare website, officials revealed Thursday.
Healthcare.gov hosts the federal insurance exchange on which millions of Americans have purchased health insurance since the Affordable Care Act mandate that most people be insured began rolling out last year. Officials said they learned of the hack, which took place in July, last week.
The attack is apparently the first instance of a hacker successfully breaking through the site’s defenses, an anonymous employee of the Department of Health and Human Services told The Wall Street Journal.
Officials said the attacker does not appear to have stolen any personal data and only broke in to a server used to test run software for the site. HHS said the Healthcare.gov site doesn’t seem to have been a specific target of the attack.
“Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted,” HHS said in a statement to the WSJ. “We have taken measures to further strengthen security.”
Investigators found that hackers had not coordinated an assault to get valuable personal information, but had intended to install malware to allow other computers to control the Healthcare.gov system for later mass attacks, like a DDOS attack, designed to send so many visitors to a website it overwhelms the site’s ability to function. Investigators said they believe the hack is not the work of another government or government sponsored group.
Such security breaches are not uncommon but the attack raises concerns about the security of the website, which contains confidential personal details of millions of Americans. Republicans, who are united in opposition to the law and its implementation, have long warned the site was at risk of attack by hackers.
“If this happened anywhere other than HealthCare.gov, it wouldn’t be news,” a senior DHS official told the WSJ.