HealthCare.gov Hack Reminiscent of Earlier Vermont Exchange Attack

As the Wall Street Journal breaks news this afternoon about a successful hack at HealthCare.gov, this reporter struck by the similarities to a previous Obamacare break-in, one at the Vermont health exchange.

To begin with, it’s appalling how basic both hacks were.

Despite numerous policies and best practices governing security, the HealthCare.gov server “was guarded only by a default password,” and it “had such low security settings because it was never meant to be connected to the Internet,” theJournal writes. In other words — those of an HHS official, in fact — “there was a door left open.”

Similarly, in Vermont, the development server’s default password was never changed.

Lawrence Miller, the state’s chief of health-care reform, told NRO at the time: “[The hacked server] frankly should never have been plugged into the wall as far as I could tell. If [this breach] had been any measure of our [overall] security system, that would be very problematic, but it’s more like someone walking into an unlocked, new house, and the default password for the alarm system is on a Post-It note next to the alarm pad, and the front door was unlocked.”

Also disturbing, at both a federal and a state level, it’s taking far too long for the government to detect hacks.

The Journal reports that although the hacker gained access and installed malware on a HealthCare.gov server in July, the Department of Health and Human Services “discovered the break in weeks later on Aug. 25 during a daily security scan” (emphasis added). Similarly, in Vermont, it took the health exchange an entire month to detect the attack — and by that time, the hacker had accessed the server at least 15 times.

While the Federal Bureau of Investigation does not believe the hack was a state-sponsored attack, according to the Journal, it did trace the attack back to several IP addresses from abroad. In Vermont, the health-exchange hack originated from Romania.

In both instances, officials have been quick to say that no personal information was compromised, as far as they know. But in Vermont, at least, experts were less confident. Similar unknowns may exist on the federal level.

The similarities between the HealthCare.gov and Vermont attacks are significant because they suggest a top-to-bottom lack of security that afflicts the federal and state exchanges alike.

Michael Gregg, a cybersecurity expert who testified to Congress about HealthCare.gov risks, tells NRO this evening: “I think the most important take-away, unfortunately, is to still be very leery about how well these systems have actually been secured. We’re still potentially running code and applications that seem to be vulnerable at one point, and these systems may still be at this state: We’re still working with these patched systems. All this stuff should have been rebuilt from the ground up with security as the first thing in mind.”

— Jillian Kay Melchior is a Thomas L. Rhodes Fellow for the Franklin Center for Government and Public Integrity. She is also a Senior Fellow at the Independent Women’s Forum.