The Corner

Undetected for a Month, Romanian Hacker Attacks Vermont Health Exchange Server

As Obamacare enrollment closed, Vermont’s Democrats pronounced “Obamacare is working” and gloated about the fact that its state exchange had enrolled 54 percent of the eligible market, the highest rate in the nation.

That purported success is looking more questionable by the moment.

Today, I report on how a Romanian hacker working from an IP known for attacks was able to successfully penetrate a Vermont health exchange’s development server—and go undetected for a month.

The hack was possible because of a couple of stupid mistakes: the password for the server was never changed from the default, and no one bothered to restrict access to only approved users.

In the words of Vermont’s chief of health-care reform, it was the equivalent of “someone walking into an unlocked, new house, and the default password for the alarm system is on a Post-It note next to the alarm pad, and the front door was unlocked.”

Vermont’s officials say they don’t believe that consumer information was compromised, but respected cybersecurity expert I spoke to wasn’t so sure:

Michael Gregg, the CEO of the cyber-security consulting firm Superior Solutions, says it’s possible the hacker went on to access other parts of Vermont Health Connect, covering his tracks and remaining undetected to this day.

“There is potential for consumer risk,” says Gregg, who has also testified to Congress about cyber-security risks for HealthCare.gov. “Best practices were not carried out in several respects. All those point to the possibility of further or additional breaches, because they have just not shown that they have done the due diligence, and without those controls in place, it’s hard to say. The attacker could have captured passwords on additional systems and used those to create different accounts that Vermont Health Connect doesn’t know about yet.”

And keep in mind that this wasn’t Vermont’s first security breach:

Last November, the Associated Press reported on an incident in which an enrollee received his own application in the mail, courtesy of an anonymous sender who had scrawled “VERMONT HEALTH CONNECT IS NOT A SECURE WEBSITE!” on both the envelope and the application. The unnamed sender had obtained paperwork that included the applicant’s Social Security number as well as other private information.

The Vermont health exchange had struggled with its technology from the beginning. As Newsweek reported in February:

Vermont’s CGI-built website didn’t work on October 1, and today, the state still does not have a fully functioning marketplace. There is no way for small businesses, the heart of Vermont’s economy, to purchase coverage online; instead, they have to buy insurance directly from one of two state-approved insurers. Payments for premiums still cannot be processed online – people have to snail-mail checks to a CGI processor in Nebraska. And individuals who registered online but then got divorced, changed jobs or had either pay cuts or increases cannot alter their information online.

Some of those glitches continue to be a problem even now:

The online premium payment system for small businesses has never worked and now state officials say it won’t be ready until sometime next year.

Vermont is the only state in the country to mandate that all small businesses purchase their coverage on the state’s health care exchange. That’s why there was a lot of concern when the on line premium payment system for businesses wasn’t ready to go last October. Eight months later, it still doesn’t work.

Vermont’s Democrats have some funny ideas about what “working” means.

— Jillian Kay Melchior is a Thomas L. Rhodes Fellow for the Franklin Center for Government and Public Integrity. She is also a Senior Fellow at the Independent Women’s Forum.

Most Popular

The Pollster Who Thinks Trump Is Ahead

The polling aggregator on the website RealClearPolitics shows the margin in polls led by Joe Biden in a blue font and the ones led by Donald Trump in red. For a while, the battleground states have tended to be uniformly blue, except for polls conducted by the Trafalgar Group. If you are a firm believer only in ... Read More

The Pollster Who Thinks Trump Is Ahead

The polling aggregator on the website RealClearPolitics shows the margin in polls led by Joe Biden in a blue font and the ones led by Donald Trump in red. For a while, the battleground states have tended to be uniformly blue, except for polls conducted by the Trafalgar Group. If you are a firm believer only in ... Read More
Elections

How Trump Might Be Winning

I’m far too dumb to be able to shed any light on polls, but I do know something about celebrity and I think I can guarantee this: If President Trump wins re-election, Robert Cahaly is going to become very famous very quickly. Who is Robert Cahaly? The chief pollster for the Trafalgar Group, the only major ... Read More
Elections

How Trump Might Be Winning

I’m far too dumb to be able to shed any light on polls, but I do know something about celebrity and I think I can guarantee this: If President Trump wins re-election, Robert Cahaly is going to become very famous very quickly. Who is Robert Cahaly? The chief pollster for the Trafalgar Group, the only major ... Read More

Trump: Yes

Editor’s Note: The following is one of three essays, each from a different perspective, in the latest edition of National Review on the question of whether to vote for President Trump. The views below reflect those of the individual author, not of the NR editorial board as a whole. The other two essays can be ... Read More

Trump: Yes

Editor’s Note: The following is one of three essays, each from a different perspective, in the latest edition of National Review on the question of whether to vote for President Trump. The views below reflect those of the individual author, not of the NR editorial board as a whole. The other two essays can be ... Read More