Malware Bug Hits ObamaCare Server

ObamaCare has become the victim of malicious hacking after unknown cyber criminals broke into the government health insurance site and uploaded a range of files designed to launch attacks against other sites.

The Centers for Medicare and Medicaid Services that leads the HealthCare.gov website at the heart of the Obamacare scheme briefed congressional staff on Thursday about the intrusion that first occurred way back on 8 July, spokesman Aaron Albright told Reuters.

"Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted," Albright said. "We have taken measures to further strengthen security."

Malware uploaded to the server was designed to launch distributed denial of service [DDoS] attacks against other websites and Albright added that the discovery won’t delay the second open enrolment period for Obamacare that gets underway on 15 November.

The Department for Homeland Security, which investigates cyber attacks, indicated that its Computer Emergency Readiness Team [US-CERT] has forensically preserved the server and removed the DDoS malware. Analysis following the attack produced by the agency suggested that it was a test server that is used to try out new code before it goes live and didn’t actually run HealthCare.gov.

In any case, the test server wasn’t even supposed to be connected to the Internet but somehow was and David Kennedy, from Internet security firm TrustedSec, isn’t convinced that this is the only time the site has been successfully hacked.

"There are fundamental flaws in how they're coding the website and it's going to take a long, long time to fix it," he told Reuters. "It continues to be a really big glaring security hole."

Kennedy added that it seems an anomaly that hackers would upload the malware and not end up using it, though didn’t rule it out. DDoS attacks have risen dramatically over the past couple of years and research released in March showed that 82 per cent of DDoS protection has no effect whatsoever.