By William Knowles @c4i
September 5, 2014
The commonplace malware was designed to launch “denial of service” attacks against other websites, HHS said, and there is no evidence any consumers’ personal information was sent to an external IP address. The attack did not appear to directly target HealthCare.gov, and the server that was targeted did not contain any consumers’ personal information.
The Wall Street Journal reports that the server was connected to more sensitive parts of the website that had better security protections, the officials said. That means it would have been possible, if difficult, for the intruder to move through the network and try to view more protected information, an official at the Department of Health and Human Services said. There is no indication that happened, and investigators suspect the hacker didn’t intend to target a HealthCare.gov server.
Washington officials said they are concerned an intruder gained access to the HealthCare.gov network through a basic security flaw. The server had low-security settings because it was never meant to be connected to the Internet, the HHS official said. When the hacker broke in, it was only guarded by a default password, which often is easy to crack.
It should be noted that the Department of Health and Human Services in the 2014 Annual Report to Congress on the Federal Information Security Management Act [PDF] scored only 43% in 2014 down from 50% in 2013.