A hacker breached HealthCare.gov in July and uploaded malicious software, apparently intending to use the system in future cyberattacks against other websites.
The break-in, first reported by The Wall Street Journal, was discovered last week by federal health officials, who said no personal data was taken.
It is the first successful, confirmed hack of the federal health insurance exchange that went through a rocky launch last year.
Congressional staffers were briefed about the hack on Thursday, the agency said.
“Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted,” the HHS said. “We have taken measures to further strengthen security.”
HealthCare.gov was not specifically targeted by the hack, the Health Department said, which could indicate that the affected test server was compromised in the course of a broad campaign to find vulnerabilities at government and private websites across the Web.
The common malware uploaded to the test server was designed to incapacitate other websites — a method known as a “denial of service” attack — and was not intended to steal individual people’s data, according to government officials.
Officials are currently preparing for ObamaCare's second enrollment period and are certain to face questions from Congress about the site's security. The HHS said the data breach should not have any impact on the enrollment process, which is set to begin Nov. 15.
Republicans in Congress have long warned the site is insecure and could expose millions of Americans’ personal data.
The House Ways and Means subcommittee on health has already scheduled a hearing on the implementation of the Affordable Care Act next Wednesday, which would seem to be a prime opportunity for questions about the security failure.
Rep. Diane BlackDiane BlackFight brews over forcing library to use ‘illegal alien’ Watchdog: Group broke federal law escorting women to abortion clinics Backlash to Tubman decision limited, isolated MORE (R-Tenn.) lambasted the administration Thursday, warning that HealthCare.gov is “an open invitation for hackers” because of the amount of personal information required.
She said that the administration “would be under no obligation to disclose if sensitive personal information were breached” in the attack, and urged the Senate to follow the House’s lead and pass a bill requiring the HHS to notify people if their information is stolen from the site.
Revelations about the hack come on the heels of a potentially major data breach at Home Depot, which could have compromised information about millions of shoppers’ credit and debit card information, and the headline-grabbing theft of female celebrities’ intimate photos.
News of the HealthCare.gov breach came just hours after President Obama appointed former Google executive Megan Smith to be the next U.S. chief technology officer. Smith’s predecessor, Todd Park, was credited with helping to turn about the troubled healthcare insurance site after its initial launch last year.
— This story was last updated at 5:40 p.m.