Friday, September 5, 2014

HHS: Federal Exchange Site Hacked, No Personal Data Stolen

The inevitable 'hack' occured in July according to HHS officials.  It involved the Federal Health Insurance Exchange, .

On Thursday, HHS officials announced that a hacker in July breached part of and uploaded malicious software, the Wall Street Journal reports (Yadron, Wall Street Journal, 9/4).
A team of investigators discovered the breach on Aug. 25 during a routine security scan. I suppose HHS and federal IT infrastructure have their own "Malwarebytes" to detect and clean their systems,  regularly.  I know that good IT practices require this type of routine maintenance.
Perhaps the hackers broke in to see if they could improve for the Dept. of HHS. I am sure many were willing to help there.  Probably any videogamer could improve the web site.  It's been a whole year for things to improve, and the next enrollment period begins in about one month.
According to an HHS official, the attack appears to be the first successful breach of the website, through which millions of U.S. residents have purchased health insurance coverage since fall 2013.

Details of the Hack

Investigators found no evidence that enrollees' personal data were taken in the attack. Rather, the hacker accessed a server used to test code for the website (Wall Street Journal, 9/4).
Common malware was uploaded to the test server and designed to incapacitate other websites, a method often referred to as a "denial of service" attack. Government officials say the malware was not intended to steal consumers' data (Viebeck/Hattem, The Hill, 9/4).
"Our review indicates that the server did not contain consumer personal information; data [were] not transmitted outside the agency, and the website was not specifically targeted," HHS said, adding, "We have taken measures to further strengthen security" (O'Donnell, USA Today, 9/4).
I feel relieved
It's about like someone breaking into your house and leaving a 'stink bomb' rather than taking your large screen T.V.


Rep. Darrell Issa (R-Calif.) -- chair of the House Oversight and Government Reform Committee -- in a statement said the revelations were "unsurprising" amid previous concerns about the website's security. He added that the administration repeatedly had "dismissed concerns about the security of, even as it obstructed congressional oversight on the issue." Issa also called on CMS Administrator Marilyn Tavenner to testify alongside GAO officials before the committee on Sept. 18 (Hattem, The Hill, 9/4).
Meanwhile, Rep. Diane Black (R-Tenn.) called on the Senate to join the House in passing the Health Exchange Security and Transparency Act (HR 3811), which would require the federal government to notify individuals if their personal information has been breached (Black release, 9/4). (A one paragraph-regulations)  I thought that was already covered by HIPAA.
Let us hope that things will get better (don't hold your breath)

No comments:

Post a Comment