HHS hacked five times in three years

Greg Nash

Hackers have breached at least five divisions of the Department of Health & Human Services (HHS) over the last three years.

That's according to the House Energy & Commerce Committee, which on Thursday released its findings from a yearlong look into the security of HHS networks.

“What we found is alarming and unacceptable,” said Committee Chairman Rep. Fred Upton (R-Mich.) and Oversight and Investigations Subcommittee Chairman Tim Murphy (R-Pa.), in a joint statement.

In addition to the five digital intrusions, the report said investigators uncovered years of nonpublic inspector general reports that revealed “pervasive and persistent deficiencies across HHS and its operating divisions’ information security programs.”

“At a time when sensitive information is held by so many in the public and private sectors, Americans should not have to worry that the U.S. government is left so vulnerable to attack,” the two lawmakers said.

The committee launched the security review after the Food and Drug Administration (FDA), a department within HHS, suffered a breach in late 2013 that exposed account details on more than 14,000 people.

Their search found five additional breaches at HHS, although the findings said the extent of each is unclear.

“Of concern to the committee, officials at the affected agencies often struggled to provide accurate, clear and sufficient information on the security incidents during the committee’s investigation,” the report said.

In some cases, the confusion may have resulted from information security workers not being given the right authorities.

“Information security officials are not always permitted full visibility into their own networks as a result of their relationship with agency contractors, who may own and operate portions of agency networks,” the report said.

In other cases, offices were poorly organized or simply made mistakes. In two of the breaches, officials simply missed required software patches. At another HHS division, security workers mistook a list of hacker aliases for a list of security vulnerabilities.

The report’s release comes on the heels of the massive data breach at the Office of Personnel Management (OPM), which shed light on the sluggish security practices across the federal government. The OPM intrusion, which experts have tied to China, compromised more than 22 million people’s most personal information.

“With the recent Office of Personnel Management attack serving as another example of how wrong things can go, this report pulls back the curtain and sheds light on serious deficiencies in HHS’s information security practices,” said Upton and Murphy.