The Wall Street Journal cites unnamed federal officials as saying that a hacker gained access and uploaded malicious software to a server that is part of Healthcare.gov. The attack occurred in July and was discovered on August 25 during a daily security scan.
The officials say that the server is used only to test code for the site. The attacker gained no access to consumers' personal data and no such data was on the server. But because the server was not meant to be connected to the Internet, it was protected with a default password.
The FBI traced the attack to several IP addresses. They do not suspect a state actor, but rather one of many groups scanning for vulnerable systems on which to install software. The software in this case was meant for performing denial of service attacks. The story does not say whether the malicious software was ever used.
Attacks such as these are common and, as no meaningful data was compromised it is not considered serious event. The Journal quoted a senior Department of Homeland Security official as saying "[i]f this happened anywhere other than HealthCare.gov, it wouldn't be news."
In addition to daily security scans, the site undergoes drill hacking exercises and quarterly security audits from Blue Canopy Group LLC, a private security company in Reston, Va.