There is no indication consumers' personal data was breached or even targeted, but an intruder was able to install malicious software on the Obamacare online marketplace.
The perpetrator appears to have compromised a server used to test code for HealthCare.gov. The hack was not aimed specifically at Healthcare.gov, nor is it thought to be nation state-sponsored.
The intruder installed malware on the server to execute a “denial of service attack” on other websites. Hackers often hijack hordes of systems to flood other websites with bogus traffic that slows down the sites.
The offender was probing both government and commercial websites for a certain type of vulnerable server.
"If this happened anywhere other than HealthCare.gov, it wouldn't be news," a senior Homeland Security Department official told the Journal.
The incident occurred in July. The Health and Human Services Department detected the breach last week during a daily security scan.
Data was not transmitted outside the agency.
That said, officials seem to be taking the situation seriously.
“An HHS official said the attack appears to mark the first successful intrusion into the website, where millions of Americans bought insurance starting last year under the Affordable Care Act. It raised concerns among federal officials because of how easily the intruder gained access and how much damage could have occurred,” the Journal reports.
The server accessed had poor security because it was never meant to be connected to the Internet. It was merely guarded by a default password.
The FBI has traced the assault to several Internet addresses, some of which are overseas.