Politics & Policy

HealthCare.gov Hack Reminiscent of Earlier Vermont Exchange Attack

Obamacare vulnerabilities abound on the federal and state levels

As the Wall Street Journal breaks news this afternoon about a successful hack at HealthCare.gov, this reporter struck by the similarities to a previous Obamacare break-in, one at the Vermont health exchange.

To begin with, it’s appalling how basic both hacks were.

Despite numerous policies and best practices governing security, the HealthCare.gov server “was guarded only by a default password,” and it “had such low security settings because it was never meant to be connected to the Internet,” the Journal writes. In other words — those of an HHS official, in fact — “there was a door left open.”

Similarly, in Vermont, the development server’s default password was never changed.

Lawrence Miller, the state’s chief of health-care reform, told NRO at the time: “[The hacked server] frankly should never have been plugged into the wall as far as I could tell. If [this breach] had been any measure of our [overall] security system, that would be very problematic, but it’s more like someone walking into an unlocked, new house, and the default password for the alarm system is on a Post-It note next to the alarm pad, and the front door was unlocked.”

Also disturbing, at both a federal and a state level, it’s taking far too long for the government to detect hacks.

The Journal reports that although the hacker gained access and installed malware on a HealthCare.gov server in July, the Department of Health and Human Services “discovered the break in weeks later on Aug. 25 during a daily security scan” (emphasis added). Similarly, in Vermont, it took the health exchange an entire month to detect the attack — and by that time, the hacker had accessed the server at least 15 times.

While the Federal Bureau of Investigation does not believe the hack was a state-sponsored attack, according to the Journal, it did trace the attack back to several IP addresses from abroad. In Vermont, the health-exchange hack originated from Romania.

In both instances, officials have been quick to say that no personal information was compromised, as far as they know. But in Vermont, at least, experts were less confident. Similar unknowns may exist on the federal level.

The similarities between the HealthCare.gov and Vermont attacks are significant because they suggest a top-to-bottom lack of security that afflicts the federal and state exchanges alike.

Michael Gregg, a cybersecurity expert who testified to Congress about HealthCare.gov risks, tells NRO this evening: “I think the most important take-away, unfortunately, is to still be very leery about how well these systems have actually been secured. We’re still potentially running code and applications that seem to be vulnerable at one point, and these systems may still be at this state: We’re still working with these patched systems. All this stuff should have been rebuilt from the ground up with security as the first thing in mind.”

— Jillian Kay Melchior is a Thomas L. Rhodes Fellow for the Franklin Center for Government and Public Integrity. She is also a Senior Fellow at the Independent Women’s Forum.

Jillian Kay Melchior — Jillian Kay Melchior writes for National Review as a Thomas L. Rhodes Fellow for the Franklin Center. She is also a senior fellow at the Independent Women’s Forum.

Most Popular


The Gun-Control Debate Could Break America

Last night, the nation witnessed what looked a lot like an extended version of the famous “two minutes hate” from George Orwell’s novel 1984. During a CNN town hall on gun control, a furious crowd of Americans jeered at two conservatives, Marco Rubio and Dana Loesch, who stood in defense of the Second ... Read More
Film & TV

Why We Can’t Have Wakanda

SPOILERS AHEAD Black Panther is a really good movie that lives up to the hype in just about every way. Surely someone at Marvel Studios had an early doubt, reading the script and thinking: “Wait, we’re going to have hundreds of African warriors in brightly colored tribal garb, using ancient weapons, ... Read More
Law & the Courts

Obstruction Confusions

In his Lawfare critique of one of my several columns about the purported obstruction case against President Trump, Gabriel Schoenfeld loses me — as I suspect he will lose others — when he says of himself, “I do not think I am Trump-deranged.” Gabe graciously expresses fondness for me, and the feeling is ... Read More
Politics & Policy

Students’ Anti-Gun Views

Are children innocents or are they leaders? Are teenagers fully autonomous decision-makers, or are they lumps of mental clay, still being molded by unfolding brain development? The Left seems to have a particularly hard time deciding these days. Take, for example, the high-school students from Parkland, ... Read More