A hacker broke into part of the HealthCare.gov insurance enrollment website in July and uploaded malicious software.
Investigators found no evidence that consumers' personal data were taken or viewed during the breach, federal officials said. The hacker appears only to have gained access to a server used to test code for HealthCare.gov, said the Wall Street Journal.
"The server was connected to more sensitive parts of the website that had better security protections," the Journal said. "That means it would have been possible, if difficult, for the intruder to move through the network and try to view more protected information, an official at the Department of Health and Human Services said. There is no indication that happened, and investigators suspect the hacker didn't intend to target a HealthCare.gov server."
The HHS official said the attack appears to mark the first successful intrusion into the website, where millions of Americans bought insurance starting last year under the 2010 Affordable Care Act. The agency discovered the attack last week.
"Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted," HHS said in a written statement. "We have taken measures to further strengthen security."
The White House and congressional staff have been briefed on the matter, officials said. The Department of Homeland Security, Federal Bureau of Investigation and National Security Agency have aided the investigation, which is active, said the Wall Street Journal. The FBI traced the attack to several Internet addresses—some overseas—but doesn't think it is the work of a state-backed actor, officials said.