A hacker breached HealthCare.gov in July and uploaded malicious software, apparently intending to use the system in future cyberattacks against other websites.
The break-in, first reported by The Wall Street Journal, was discovered last week by federal health officials, who said no personal data was taken.
It is the first successful, confirmed hack of the federal health insurance exchange that went through a rocky launch last year.
According to the Department of Health and Human Services (HHS), agency officials noticed a problem with one of the test servers used by the ObamaCare website last week. The FBI and Department of Homeland Security were called in to investigate the attack.
Congressional staffers were briefed about the hack on Thursday, the agency said.
“Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted,” the HHS said. “We have taken measures to further strengthen security.”
HealthCare.gov was not specifically targeted by the hack, the Health Department said, which could indicate that the affected test server was compromised in the course of a broad campaign to find vulnerabilities at government and private websites across the Web.