The Corner

Undetected for a Month, Romanian Hacker Attacks Vermont Health Exchange Server

As Obamacare enrollment closed, Vermont’s Democrats pronounced “Obamacare is working” and gloated about the fact that its state exchange had enrolled 54 percent of the eligible market, the highest rate in the nation.

That purported success is looking more questionable by the moment.

Today, I report on how a Romanian hacker working from an IP known for attacks was able to successfully penetrate a Vermont health exchange’s development server—and go undetected for a month.

The hack was possible because of a couple of stupid mistakes: the password for the server was never changed from the default, and no one bothered to restrict access to only approved users.

In the words of Vermont’s chief of health-care reform, it was the equivalent of “someone walking into an unlocked, new house, and the default password for the alarm system is on a Post-It note next to the alarm pad, and the front door was unlocked.”

Vermont’s officials say they don’t believe that consumer information was compromised, but respected cybersecurity expert I spoke to wasn’t so sure:

Michael Gregg, the CEO of the cyber-security consulting firm Superior Solutions, says it’s possible the hacker went on to access other parts of Vermont Health Connect, covering his tracks and remaining undetected to this day.

“There is potential for consumer risk,” says Gregg, who has also testified to Congress about cyber-security risks for “Best practices were not carried out in several respects. All those point to the possibility of further or additional breaches, because they have just not shown that they have done the due diligence, and without those controls in place, it’s hard to say. The attacker could have captured passwords on additional systems and used those to create different accounts that Vermont Health Connect doesn’t know about yet.”

And keep in mind that this wasn’t Vermont’s first security breach:

Last November, the Associated Press reported on an incident in which an enrollee received his own application in the mail, courtesy of an anonymous sender who had scrawled “VERMONT HEALTH CONNECT IS NOT A SECURE WEBSITE!” on both the envelope and the application. The unnamed sender had obtained paperwork that included the applicant’s Social Security number as well as other private information.

The Vermont health exchange had struggled with its technology from the beginning. As Newsweek reported in February:

Vermont’s CGI-built website didn’t work on October 1, and today, the state still does not have a fully functioning marketplace. There is no way for small businesses, the heart of Vermont’s economy, to purchase coverage online; instead, they have to buy insurance directly from one of two state-approved insurers. Payments for premiums still cannot be processed online – people have to snail-mail checks to a CGI processor in Nebraska. And individuals who registered online but then got divorced, changed jobs or had either pay cuts or increases cannot alter their information online.

Some of those glitches continue to be a problem even now:

The online premium payment system for small businesses has never worked and now state officials say it won’t be ready until sometime next year.

Vermont is the only state in the country to mandate that all small businesses purchase their coverage on the state’s health care exchange. That’s why there was a lot of concern when the on line premium payment system for businesses wasn’t ready to go last October. Eight months later, it still doesn’t work.

Vermont’s Democrats have some funny ideas about what “working” means.

— Jillian Kay Melchior is a Thomas L. Rhodes Fellow for the Franklin Center for Government and Public Integrity. She is also a Senior Fellow at the Independent Women’s Forum.

Most Popular


In Defense of the Electoral College

Senator Elizabeth Warren has joined a growing chorus within the Democratic party in calling for the abolition of the Electoral College. Speaking at a forum in Mississippi on Monday night, Warren said that she hoped to ensure that “every vote matters” and proposed that “the way we can make that happen is ... Read More

Stick a Fork in O’Rourke

If, as I wrote last week here, Joe Biden may save the Democratic party from a horrible debacle at the polls next year, Beto O’Rourke may be doing the whole process a good turn now. Biden, despite his efforts to masquerade as the vanguard of what is now called progressivism, is politically sane and, if ... Read More
National Security & Defense

In Defense of the Iraq War

Today is the 16th anniversary of the invasion of Iraq, and Twitter is alive with condemnations of the conflict -- countered by precious few defenses. Yet I believed the Iraq War was just and proper in 2003, and I still believe that today. When Donald Trump condemned the war during the 2015 primary campaign and ... Read More

The War on Red Caps Roars On

Three recent prosecutions suggest that President Trump’s supporters who have endured abuse and violence for wearing “Make America Great Again” hats will receive justice. Police arrested Ryan M. Salvagno, 19, of Somerset, N.J., on February 27. Two days earlier, authorities say, he hounded an ... Read More