NCPA - National Center for Policy Analysis

Vermont Exchange Hacked

July 8, 2014

The Vermont health exchange's development server was attacked last December by a Romanian hacker, according to National Review.

While the technology firm in charge of the state's exchange, CGI Group, said the hacker did not access any servers that contained private consumer information, security expert Michael Gregg warns that it is possible that the attacker went on to access other parts of the exchange without detection. The hacker accessed the server at least 15 times and went undetected for an entire month.

How did the hacker gain access to the server in the first place? The default password for the server had never been changed, and the server was not restricted only to approved users.

A European internet registry has already associated the hacker's IP addresses with other attacks, spam and malware. Had Vermont Health Connect been following best practices, says Gregg, it would have already blocked such potentially threatening IP addresses.

Vermont healthcare reform chief Lawrence Miller said that the highly compressed time frame in which the exchange was developed could have been a factor in the breach, noting that the hacked server was not protected by firewalls as it should have been.

In spite of these security lapses, Miller claims that Vermont residents ought to have confidence in the exchange to protect their private information, contending that no organization can ever make the chance of a security breach an impossibility.

Source: Jillian Kay Melchior, "Another Security Breach for Obamacare," National Review, July 1, 2014.


Browse more articles on Health Issues