Hackers breached security at the website of the government’s health insurance marketplace, HealthCare.gov, but did not steal any personal information on consumers, Obama administration officials said Thursday.
The administration informed Congress of the violation, which it described as “an intrusion on a test server” supporting the website.
“Our review indicates that the server did not contain consumer personal information, data was not transmitted outside the agency and the website was not specifically targeted,” said Aaron Albright, a spokesman at the Centers for Medicare and Medicaid Services, which runs the website. “We have taken measures to further strengthen security.”
Mr. Albright said the hacking was made possible by several security weaknesses. The test server should not have been connected to the Internet, he said, and it came from the manufacturer with a default password that had not been changed.
In addition, he said, the server was not subject to regular security scans as it should have been.
The security of HealthCare.gov, which serves residents of 36 states, has been a major concern for some members of Congress, particularly Republicans.
Congressional investigators found that administration officials, eager to begin enrollment on Oct. 1, activated the website even though its security had not been fully tested and did not meet federal standards. This created a potentially “high risk” for the exchange, according to a memorandum prepared by security experts at the Medicare agency.
Since then, administration officials have repeatedly reassured consumers that the problems were fixed.
Senator Orrin G. Hatch of Utah, the senior Republican on the Finance Committee, said Thursday that the intrusion into HealthCare.gov “should come as a surprise to no one.”
“Despite numerous warnings from myself and other lawmakers that security breaches were possible, HealthCare.gov underwent virtually no independent security testing” before it went live, Mr. Hatch said.
The attack was noticed by federal employees on Aug. 25. Hackers downloaded malicious software onto a test server of HealthCare.gov as part of a broader denial-of-service attack, intended to cripple other websites. In such an attack, hackers infect hundreds or thousands of computers, called botnets, with malware and then command those computers to send traffic to a particular website in an effort to push it offline.
For months, cybersecurity professionals have been warning that the health care site was a ripe target for hackers eager to gain access to personal data that could be sold on the black market. A week before federal officials discovered the breach at HealthCare.gov, a hospital operator in Tennessee said that Chinese hackers had stolen personal data for 4.5 million patients.
“This was a botnet exploit, but you can be assured that had this been a more targeted attack, it would have been much more successful, stealthy and effective,” said Wayne Jackson, the chief executive of Sonatype, a software security firm.