HHS hacked five times in three years, House committee says

A House committee is now acknowledging that no fewer than five separate divisions within the Department of Health and Human Services have been breached by hackers during the past three years.

In a report published Thursday, the House of Representatives Committee on Energy and Commerce announced that an investigation into a security breach suffered by the Food and Drug Administration in 2013 revealed that several subsets within HHS had been compromised by hackers.

“What we found is alarming and unacceptable,” committee Chairman Fred Upton, Michigan Republican, and Oversight and Investigations Subcommittee Chairman Tim Murphy, Pennsylvania Republican, said in a joint statement. “At a time when sensitive information is held by so many in the public and private sectors, Americans should not have to worry that the U.S. government is left so vulnerable to attack.”

The 27-page review of HHS information security found that five operating divisions had been breached using unsophisticated means within the past three years, including the FDA.

“Of concern to the committee,” the report reads, “officials at the affected agencies often struggled to provide accurate, clear and sufficient information on the security incidents” during the course of their investigation.

In one instance, the committee found, the information security specialists at one of the breached HHS divisions mistook a roster of hacker aliases for a list of security vulnerabilities. Two other agencies were breached because of simple misconfigurations, the report continues, and another instance occurred as a result of an organization’s failure to patch a “critical” software vulnerability.

According to the committee, officials at two breached agencies were unable to provide accurate details about security incidents within their own networks.

“These incidents raise questions about whether information security officials have the appropriate level of expertise,” the report reads.

“While it is impossible to fully protect against cyber attacks, we have a responsibility to approach these issues with necessary foresight and diligence to minimize vulnerabilities and maximize security,”Upton and Murphy said.

In the Senate, meanwhile, attempts to reach an agreement on a cybersecurity bill have been unsuccessful this week, leaving the fate of the Cybersecurity Information Sharing Act, or CISA, to be unresolved until after summer recess concludes. Lawmakers will break until September after Friday.