Politics & Policy

HealthCare.gov Hack Reminiscent of Earlier Vermont Exchange Attack

Obamacare vulnerabilities abound on the federal and state levels

As the Wall Street Journal breaks news this afternoon about a successful hack at HealthCare.gov, this reporter struck by the similarities to a previous Obamacare break-in, one at the Vermont health exchange.

To begin with, it’s appalling how basic both hacks were.

Despite numerous policies and best practices governing security, the HealthCare.gov server “was guarded only by a default password,” and it “had such low security settings because it was never meant to be connected to the Internet,” the Journal writes. In other words — those of an HHS official, in fact — “there was a door left open.”

Similarly, in Vermont, the development server’s default password was never changed.

Lawrence Miller, the state’s chief of health-care reform, told NRO at the time: “[The hacked server] frankly should never have been plugged into the wall as far as I could tell. If [this breach] had been any measure of our [overall] security system, that would be very problematic, but it’s more like someone walking into an unlocked, new house, and the default password for the alarm system is on a Post-It note next to the alarm pad, and the front door was unlocked.”

Also disturbing, at both a federal and a state level, it’s taking far too long for the government to detect hacks.

The Journal reports that although the hacker gained access and installed malware on a HealthCare.gov server in July, the Department of Health and Human Services “discovered the break in weeks later on Aug. 25 during a daily security scan” (emphasis added). Similarly, in Vermont, it took the health exchange an entire month to detect the attack — and by that time, the hacker had accessed the server at least 15 times.

While the Federal Bureau of Investigation does not believe the hack was a state-sponsored attack, according to the Journal, it did trace the attack back to several IP addresses from abroad. In Vermont, the health-exchange hack originated from Romania.

In both instances, officials have been quick to say that no personal information was compromised, as far as they know. But in Vermont, at least, experts were less confident. Similar unknowns may exist on the federal level.

The similarities between the HealthCare.gov and Vermont attacks are significant because they suggest a top-to-bottom lack of security that afflicts the federal and state exchanges alike.

Michael Gregg, a cybersecurity expert who testified to Congress about HealthCare.gov risks, tells NRO this evening: “I think the most important take-away, unfortunately, is to still be very leery about how well these systems have actually been secured. We’re still potentially running code and applications that seem to be vulnerable at one point, and these systems may still be at this state: We’re still working with these patched systems. All this stuff should have been rebuilt from the ground up with security as the first thing in mind.”

— Jillian Kay Melchior is a Thomas L. Rhodes Fellow for the Franklin Center for Government and Public Integrity. She is also a Senior Fellow at the Independent Women’s Forum.

Most Popular


Americans Are Royally Confused about Monarchy

Conventional wisdom regarding America’s relationship with royalty goes something like this: Americans have no time for monarchy as a political concept but can’t get enough of the British royal family. The American media’s round-the-clock coverage of the recent royal wedding certainly seems ample evidence of ... Read More

The Trump Rationale

Why exactly did nearly half the country vote for Donald Trump? Why also did the arguments of Never Trump Republicans and conservatives have marginal effect on voters? Despite vehement denunciations of the Trump candidacy from many pundits on the right and in the media, Trump nonetheless got about the same ... Read More
Politics & Policy

The Media See Only One Collusion Story

President Trump is opening a whole new chapter in the war between him and the investigators pursuing him. Today, he tweeted: “I hereby demand, and will do so officially tomorrow, that the Department of Justice look into whether or not the FBI/DOJ infiltrated or surveilled the Trump Campaign for Political ... Read More