Healthcare.gov Security Update

Friday October 17, 2014

BrendaBoomer2013-new“This is the latest information on the security breach of the Healthcare.gov website.” Brenda Boomer | bboomer@peabodyinc.com Government officials have revealed that hackers were able to breach security for healthcare.gov, the federal insurance enrollment exchange created by the Affordable Care Act, and the site remains vulnerable to further attacks less than two months before open enrollment begins. The attack, which occurred in July and was announced in early September by the Department of Health and Human Services (HHS), was discovered by government security experts nearly a month after it took place. The intruder was able to upload malicious software to the site, but investigators found no evidence that users’ personal data was accessed during the breach. While federal investigators have yet to identify the perpetrator of the attack, they have discovered that the hacker did not specifically target healthcare.gov, but was instead generally targeting numerous government websites for a specific type of server vulnerability. The hacker was able to identify a healthcare.gov server with a low amount of security, due to administrators not knowing it was connected to the Internet. Once the hacker penetrated the server, they installed malware to be used in future cyber attacks against other websites. The break-in was detected weeks later during a security scan on Aug. 25. Data that could potentially have been exposed to the hacker included names, addresses, phone numbers, Social Security numbers, income information and household-member information for over 5 million applicants who used healthcare.gov to obtain insurance coverage. However, whoever hacked the site chose not to access any of that information. HHS said it has taken cyber security seriously since launching healthcare.gov, even more so in light of the attack, which has been the first successful hack out of multiple attempts that have occurred since the portal was launched in 2013. According to HHS, the site undergoes quarterly security audits from a private security company and performs daily security scans and hacking-readiness exercises. Despite the security procedures, the Government Accountability Office (GAO) says network weaknesses still remain that carry the potential to expose users’ private information. In a report released on Sept. 16, the GAO said information security and privacy controls remain vulnerable, chiefly due to a lack of agreement between federal and state agencies and private contractors as to who is responsible for shielding data. The report comes as HHS and insurance companies prepare for the second year of open enrollment, which begins on Nov. 15. HHS has said that the incident shouldn't have an effect on the process, and that the intruder has since been blocked. The case remains under investigation.