A Romanian attacker hacked the Vermont health exchange’s development server last December, gaining access at least 15 times and going undetected for a month, according to records obtained by National Review Online.
CGI Group, the tech firm hired to build Vermont Health Connect, described the risk as “high” in a report about the attack. It also found possible evidence of sophisticated “counter-forensics activity performed by the attacker to cover his/her tracks.”
The report says that no private consumer information was stored on the hacked server, and that CGI Group had “verified that no additional servers [that may store private data] communicated with any of the identified attacker IP addresses.”
But Michael Gregg, the CEO of the cyber-security consulting firm Superior Solutions, says it’s possible the hacker went on to access other parts of Vermont Health Connect, covering his tracks and remaining undetected to this day.
“There is potential for consumer risk,” says Gregg, who has also testified to Congress about cyber-security risks for HealthCare.gov. “Best practices were not carried out in several respects. All those point to the possibility of further or additional breaches, because they have just not shown that they have done the due diligence, and without those controls in place, it’s hard to say. The attacker could have captured passwords on additional systems and used those to create different accounts that Vermont Health Connect doesn’t know about yet.”
The hacker gained access because the default password to the development server was never changed (in violation of guidelines laid out in the state’s official policy) and because access to the server was not restricted only to users who were known and approved.
Lawrence Miller, chief of health-care reform for the state of Vermont, tells National Review Online that the development deadlines might have been a factor in the security problems, as it had been on other state exchanges and the federal exchange.
“This is a highly compressed time frame, and you saw corners getting cut — I don’t know if ‘corners getting cut’ is the right way to put it — but you saw all of those teams working on an expedited basis,” he says. Other parts of the health exchange were stored on much more secure servers, he adds, and in his view consumers’ personal information was not compromised.