July 1 2014
Undetected for a Month, Romanian Hacker Attacks Vermont Health Exchange Server
Jillian Kay Melchior
As Obamacare enrollment closed, Vermont’s Democrats pronounced “Obamacare is working” and gloated about the fact that its state exchange had enrolled 54 percent of the eligible market, the highest rate in the nation.
That purported success is looking more questionable by the moment.
Today, I report on how a Romanian hacker working from an IP known for attacks was able to successfully penetrate a Vermont health exchange’s development server—and go undetected for a month.
The hack was possible because of a couple of stupid mistakes: the password for the server was never changed from the default, and no one bothered to restrict access to only approved users.
In the words of Vermont’s chief of health-care reform, it was the equivalent of “someone walking into an unlocked, new house, and the default password for the alarm system is on a Post-It note next to the alarm pad, and the front door was unlocked.”
Vermont’s officials say they don’t believe that consumer information was compromised, but respected cybersecurity expert I spoke to wasn’t so sure:
Michael Gregg, the CEO of the cyber-security consulting firm Superior Solutions, says it’s possible the hacker went on to access other parts of Vermont Health Connect, covering his tracks and remaining undetected to this day.
“There is potential for consumer risk,” says Gregg, who has also testified to Congress about cyber-security risks for HealthCare.gov. “Best practices were not carried out in several respects. All those point to the possibility of further or additional breaches, because they have just not shown that they have done the due diligence, and without those controls in place, it’s hard to say. The attacker could have captured passwords on additional systems and used those to create different accounts that Vermont Health Connect doesn’t know about yet.”
And keep in mind that this wasn’t Vermont’s first security breach:
Last November, the Associated Press reported on an incident in which an enrollee received his own application in the mail, courtesy of an anonymous sender who had scrawled “VERMONT HEALTH CONNECT IS NOT A SECURE WEBSITE!” on both the envelope and the application. The unnamed sender had obtained paperwork that included the applicant’s Social Security number as well as other private information.
The Vermont health exchange had struggled with its technology from the beginning. As Newsweek reported in February:
Vermont’s CGI-built website didn’t work on October 1, and today, the state still does not have a fully functioning marketplace. There is no way for small businesses, the heart of Vermont’s economy, to purchase coverage online; instead, they have to buy insurance directly from one of two state-approved insurers. Payments for premiums still cannot be processed online – people have to snail-mail checks to a CGI processor in Nebraska. And individuals who registered online but then got divorced, changed jobs or had either pay cuts or increases cannot alter their information online.
Some of those glitches continue to be a problem even now:
The online premium payment system for small businesses has never worked and now state officials say it won’t be ready until sometime next year.
Vermont is the only state in the country to mandate that all small businesses purchase their coverage on the state’s health care exchange. That’s why there was a lot of concern when the on line premium payment system for businesses wasn’t ready to go last October. Eight months later, it still doesn’t work.
Vermont’s Democrats have some funny ideas about what “working” means.
— Jillian Kay Melchior is a Thomas L. Rhodes Fellow for the Franklin Center for Government and Public Integrity. She is also a Senior Fellow at the Independent Women’s Forum.