Attackers behind CMS portal breach used legit accounts to swipe data

The attackers responsible for a breach of an online portal run by the Centers for Medicare and Medicaid Services last month did so by taking advantage of lax privileges given to legitimate accounts, CyberScoop has learned.

In October, CMS announced that hackers obtained data on 75,000 people from a portal used by health insurance agents and brokers assisting people with direct enrollment in the government’s health insurance exchanges.

On an internal briefing call held Wednesday at the Department of Health and Human Services, acting CMS CIO Rajiv Uppal updated agency IT officials with more details on the breach. The details of that call were shared with CyberScoop.

Uppal said the breach happened after 45 portal accounts were discovered to be conducting millions of searches in order to pull information from the database. From those searches — which included names, birthdates and the last four digits of Social Security numbers — attackers were able to get data on 50,000 healthcare applications. Since applications often cover more than one person, the information covered in those applications affected approximately 75,000 people.

“The actors didn’t break into the system using some sort of obscure hack or something else, they used the front door,” Uppal said on the call.

The agency will be issuing a public update on the breach sometime Friday afternoon.

According to a letter sent to victims Wednesday, it’s possible that attackers could have also accessed the following information:

• Expected income, tax filing status, family relationships, whether an applicant is a citizen or an immigrant, immigration document types and numbers, employer name, whether the applicant was pregnant, and whether the applicant already had health insurance;

• Information provided by other federal agencies and data sources to confirm the information provided on the application, and whether the Marketplace asked the applicant for documents or explanations;

• The results of the application, including whether the applicant was eligible to enroll in a qualified health plan (QHP), and if eligible, the tax credit amount;

• and if an applicant enrolled, the name of the insurance plan, the premium, and dates of coverage.

Attackers did not have access to bank account numbers, credit card numbers, or diagnosis and treatment information, according to the agency.

The 45 portal accounts, according to Uppal, were created sometime between May and October. The department does not know if the attackers were nation-state based, a criminal organization or a rogue set of insurance brokers.

In October, the agency deactivated accounts linked to the suspicious activity. It also took the portal offline for a week out of “an abundance of caution.”

It’s unclear how the 45 accounts failed to raise suspicion over the May to October period. However, on the call, Uppal said one reason the accounts stayed under the radar is due to the portal allowing for unlimited amounts of database searches. The portal was originally set up this way in order to keep brokers happy from a customer service perspective.

“What we are looking at now is how do we step back and do a threat assessment, and what are the trade offs we make in terms of making sure we have good behavior from valid users, and don’t assume every user has good intentions,” Uppal said on the call.

The agency is also looking at ways to better monitor user behavior and organize the way different cloud-based services interact with one another.

CMS said that people affected by the breach will be able to apply for free credit protection services once the agency finishes assessing what information was accessed.