Jayne O'Donnell

USA TODAY

The federal insurance site HealthCare.gov was hacked this summer, and intruders installed malicious software but didn't access consumers' personal data, the Department of Health and Human Services said Thursday.

A security team from the Centers for Medicare and Medicaid Services discovered an anomaly on Aug. 25 through security logs for one of the servers on the system. The team later found malicious files on a test server used to support the site, HHS said.

"Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted. We have taken measures to further strengthen security," the agency said in a statement.

HHS said it doesn't believe that the hackers targeted HealthCare.gov, which handles the Affordable Care Act marketplaces for the 34 states that didn't set up their own insurance exchanges.

The so-called malware put on the test server was designed to launch a "denial of service" attack against other websites when activated, HHS said. The department is reviewing its security improvements and upgrades.

The attack, first reported by The Wall St. Journal, appears to be the first successful attack on HealthCare.gov.

Republicans raised concerns before the launch about possible security risks at HealthCare.gov.



Some say the hack could be a wake-up call for regulators.

"Now they'll take security much more seriously," said Dan Bowerman, a former medical director at a major insurer who has assisted in state and federal fraud investigations.



