Politics & Policy

HealthCare.gov Hack Reminiscent of Earlier Vermont Exchange Attack

Obamacare vulnerabilities abound on the federal and state levels

As the Wall Street Journal breaks news this afternoon about a successful hack at HealthCare.gov, this reporter struck by the similarities to a previous Obamacare break-in, one at the Vermont health exchange.

To begin with, it’s appalling how basic both hacks were.

Despite numerous policies and best practices governing security, the HealthCare.gov server “was guarded only by a default password,” and it “had such low security settings because it was never meant to be connected to the Internet,” the Journal writes. In other words — those of an HHS official, in fact — “there was a door left open.”

Similarly, in Vermont, the development server’s default password was never changed.

Lawrence Miller, the state’s chief of health-care reform, told NRO at the time: “[The hacked server] frankly should never have been plugged into the wall as far as I could tell. If [this breach] had been any measure of our [overall] security system, that would be very problematic, but it’s more like someone walking into an unlocked, new house, and the default password for the alarm system is on a Post-It note next to the alarm pad, and the front door was unlocked.”

Also disturbing, at both a federal and a state level, it’s taking far too long for the government to detect hacks.

The Journal reports that although the hacker gained access and installed malware on a HealthCare.gov server in July, the Department of Health and Human Services “discovered the break in weeks later on Aug. 25 during a daily security scan” (emphasis added). Similarly, in Vermont, it took the health exchange an entire month to detect the attack — and by that time, the hacker had accessed the server at least 15 times.

While the Federal Bureau of Investigation does not believe the hack was a state-sponsored attack, according to the Journal, it did trace the attack back to several IP addresses from abroad. In Vermont, the health-exchange hack originated from Romania.

In both instances, officials have been quick to say that no personal information was compromised, as far as they know. But in Vermont, at least, experts were less confident. Similar unknowns may exist on the federal level.

The similarities between the HealthCare.gov and Vermont attacks are significant because they suggest a top-to-bottom lack of security that afflicts the federal and state exchanges alike.

Michael Gregg, a cybersecurity expert who testified to Congress about HealthCare.gov risks, tells NRO this evening: “I think the most important take-away, unfortunately, is to still be very leery about how well these systems have actually been secured. We’re still potentially running code and applications that seem to be vulnerable at one point, and these systems may still be at this state: We’re still working with these patched systems. All this stuff should have been rebuilt from the ground up with security as the first thing in mind.”

— Jillian Kay Melchior is a Thomas L. Rhodes Fellow for the Franklin Center for Government and Public Integrity. She is also a Senior Fellow at the Independent Women’s Forum.

Most Popular


Men Literally Died for That Flag, You Idiots

The American flag’s place in our culture is beginning to look less unassailable. The symbol itself is under attack, as we’ve seen with Nike dumping a shoe design featuring an early American flag, Megan Rapinoe defending her national-anthem protests (she says she will never sing the song again), and ... Read More

The Plot against Kavanaugh

Justice on Trial, by Mollie Hemingway and Carrie Severino (Regnery,  256 pp., $28.99) The nomination and confirmation of Brett Kavanaugh to the Supreme Court was the political event of 2018, though not for the reasons anyone expected. All High Court confirmations these days are fraught with emotion and tumult ... Read More
Politics & Policy

He Just Can’t Help Himself

By Saturday, the long-simmering fight between Nancy Pelosi and her allies on one side and the “squad” associated with Alexandria Ocasio-Cortez on the other had risen to an angrier and more destructive level at the Netroots Nation conference. Representative Ayanna Pressley, an African-American Massachusetts ... Read More
White House

On Gratitude and Immigration

Like both Rich and David, I consider it flatly inappropriate for the president of the United States to be telling Americans -- rhetorically or otherwise -- to “go back where you came from.” In consequence, you will find no defense of the president from me, either. What Trump tweeted over the weekend was ... Read More

Gender Dissenter Gets Fired

Allan M. Josephson is a distinguished psychiatrist who, since 2003, has transformed the division of child and adolescent psychiatry and psychology at the University of Louisville from a struggling department to a nationally acclaimed program. In the fall of 2017 he appeared on a panel at the Heritage Foundation ... Read More

The ‘Squad’ Gives a Gift to Donald Trump

On Sunday, Donald Trump gave the Democrats a gift -- comments that indicate he thinks native-born congresswomen he detests should “go back” to the countries of their ancestors. On Monday, the four congresswomen handed Trump a gift in return, managing to respond to the president’s insults in some of the most ... Read More
PC Culture

A Herd Has No Mind

sup { vertical-align: super; font-size: smaller; } Funny thing about my new book: I had begun shopping around the proposal for writing it long before my brief period of employment with that other magazine and the subsequent witless chimp-brained media freakout and Caffeine-Free Diet Maoist struggle ... Read More