Hacker breached HealthCare.gov website, planted malware on “ObamaCare”

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

The Wall Street Journal is reporting that a hacker managed to break into the US Government’s HealthCare.gov health insurance comparison website in July, and managed to implant malware.

HeathCare website

The site was hacked back in July, but they only found out a week ago.

Before you start to have heart palpitations, take a deep breath and take some comfort in the news that investigators are claiming that the personal information of consumers does not appear to have been stolen or compromised.

Sign up to our free newsletter.
Security news, advice, and tips.

Of course, that’s often a difficult thing to determine. After all, if the Mona Lisa gets stolen from the Louvre it’s pretty obvious – there’s a gap in the wall where the painting used to hang.

Data is different though. When it’s seized by hackers, you can’t tell that anything has been taken as they make a copy – they don’t typically destroy the version on your server. After all, that wouldn’t make sense. It would simply make it more obvious that a breach had occurred…

So we have to hope that the Department of Health and Human Services is right when it says in its review of the security breach it determined that the hacked server “did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted.”

The last part of that statement is interesting. The HealthCare.gov website was “not specifically targeted”.

To my ears that sounds like HealthCare.gov got hit as part of an attack which many have hit many websites, rather than by hackers who were hell bent on infecting the high profile ObamaCare site.

Perhaps it was the case that HealthCare.gov had a security flaw on it which was common with other sites on the net, and it just happened to be one of many sites which were exploited and had malicious code uploaded to them.

If so, in all likelihood, it may have been that the malicious code that was implanted into HealthCare.gov’s servers was designed to infect other computers on the web, perhaps as they visited third-party sites that surreptitiously ran the malicious code embedded on the ObamaCare website.

Whether specifically targeted, or hit in the crossfire of a more widespread attack, you don’t want to hear that hackers have managed to breach the US Government’s health insurance website – a website that stores highly sensitive information about American citizens including their Social Security numbers, financial details and the names of family members.

The news failed to come as a shock to some… For instance, security expert Dave Kennedy testified to Congress in January about security concerns he found with the site.

His response to the news that hackers had uploaded malware to HealthCare.gov?

https://twitter.com/HackingDave/status/507636738295353344

It’s hard to be definitive, as details are currently sketchy, but the news of HealthCare.gov’s latest woe only adds to the bad news that has revolved around the site since its launch in October last year, when it was crippled by numerous technical problems and became the butt of TV talk show jokes.

Let this be a lesson to websites big and small – you need to be thorough in your defences, and keep your guard up, to have any chance of preventing something similar happening to you.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

2 comments on “Hacker breached HealthCare.gov website, planted malware on “ObamaCare””

  1. No surprise they were hit. If this wasn't targeted and still got in I can only imagine how many others are in. They need to have Intellegence agency level security with multiple AV's scanning every document, high powered dynamic analysis, ddos, the works.

    Doesn't sound like they have much of that.

  2. Coyote

    "Before you start to have heart palpitations, …"

    Thanks Graham. Well done, as always.

    As for the situation, well hardly surprising that any government site gets attacked. Even low profile servers (like mine) see attack attempts a lot. Some are better at others with filtering and unfortunately governments are on the low end (hell, I've seen foreign government computers attempt to relay mail through my server. To this day it amuses me when I think of it even though it is bad in the end). Will they learn? I doubt it. NASA is a good example of how much they get it (the repeated claims that they'll be fixing things they already were supposed to have fixed years before).

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.