No PII accessed by healthcare.gov breach, officials say

By Chad Hemenway on September 18, 2014

healthcare-gov200x200An official at the Department of Homeland Security said malware found on a healthcare.gov server late last month compromised no data.

Speaking before the US House Committee on Oversight and Government Reform on September 18, US Computer Emergency Readiness Team (US-CERT) Director Ann Barron-DiCamillo said it worked with the Department of Health and Human Services to analyze distributed denial-of-service (DDoS) malware discovered on a single test server.

“This type of malware is not designed to extract information and there is no indication that any data was compromised as a result of this intrusion,” she reported.

DiCamillo said DHS continues to monitor the situation and will develop and implement proactive mitigation strategies with HHS.

The breach, first reported by the Wall Street Journal, is said to be the first into the website where millions bought health insurance under the Affordable Care Act.

DiCamillo’s statements to the House committee echo earlier statements from HHS. The department has said he website was not targeted and its review showed the server “did not contain consumer personal information,” and “data was not transmitted outside the agency, and the website was not specifically targeted.”

CMS (Centers for Medicare and Medicaid Services) Administrator Marilyn Tavenner, whose agency oversees HealthCare.gov, told the committee: “To date, there is no evidence that a person or group has maliciously accessed personally-identifiable information (PII) from the site. The privacy and security of consumers’ PII are top priorities for CMS. As part of that effort, CMS has taken many steps and implemented several security controls to secure PII.”

She said the website was designed in accordance with standards set forth by the National Institute of Standards and Technology (NIST).

An independent firm tested the website before it’s launch about a year ago and all security risks were “either fixed or had strategies and plans that met industry standards in place to fix the findings,” Tavenner said, adding that CMS required each state to sign agreements to bind them to rules and operating procedures.

Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].