Hackers breach Healthcare.gov, but no personal data stolen

Hackers infiltrated the US government's healthcare portal, but did not steal any data uploaded by customers.

The HealthCare.gov Web site is far from secure, says a group of security professionals.
The HealthCare.gov Web site is far from secure, says a group of security professionals. Screenshot by Lance Whitney/CNET

The US health care registration website HealthCare.gov was breached by as-yet unidentified hackers over the summer, but investigators said that no personal data was stolen.

However, the people behind the hack were able to upload malware, the Wall Street Journal reported on Thursday. The hack is believed to be the first successful attack against HealthCare.gov and was discovered at the end of August by Department of Health and Human Services employees.

The website opened last year as part of the Affordable Care Act to help Americans compare and purchase health insurance.

"Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted," the Department of Health and Human Services told the Journal in a statement. "We have taken measures to further strengthen security."

The attack installed malware on Healthcare.gov, which was likely to be used to attack other websites in the future, according to investigators. Experts have been predicting successful attacks against the site since it went public last October.

"While the backstory on how this vulnerability was identified indicates that this attacker was not specifically targeting Healthcare.gov, it's important to be aware that this website and IP range is a high value target for a number of attackers," Trey Ford, global security strategist at security analytics firm Rapid7, told CNET in an email.

Billy Rios, the director of threat intelligence at Qualys, said that the government was downplaying the severity of the hack. "If the hacker really had the ability to upload arbitrary software to the Web server, they certainly had the ability to steal healthcare data if they desired," he said.

The breach comes on the heels of numerous recent and severe website breaches where attackers stole personal data including the bank JPMorgan, the European Central Bank, Apple's iCloud online storage service, and the UPS Store.

 

Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments
Latest Galleries from CNET
Tech industry's high-flying 2014
Uber's tumultuous ups and downs in 2014 (pictures)
The best and worst quotes of 2014 (pictures)
A roomy range from LG (pictures)
This plain GE range has all of the essentials (pictures)
Sony's 'Interview' heard 'round the world (pictures)