A hacker breached security at HealthCare.gov in July 2014 and then uploaded malicious software, the Wall Street Journal is reporting.

There is no evidence that any consumer data was taken when the attacker accessed a test server for the HealthCare.gov website.

The attack, which was discovered just last week by the Department of Health and Human Services, was the first successful break into the Affordable Care Act website.

The Wall Street Journal is reporting that officials are concerned that the break in took place “easily”—a default password on a server never meant to be connected to the Internet acted as an open door—and could have potentially had a wide ranging impact.

However, Department of Health and Human Services officials said in a statement, the breached server had no consumer information, data was not transmitted outside of the agency, and the website itself was not even “specifically targeted,” suggesting it was breached as part of a wider campaign.

"We have taken measures to further strengthen security."

Instead of stealing information, the hacker reportedly left malware on the HealthCare.gov server that would have let it use its resources in denial of service attacks against other websites.

Over 5.4 million applicants have entered sensitive personal, financial, and medical data into HealthCare.gov, all of which could be used for effective identity theft. Although none of that data is known to have been taken, it’s easy to see why the attack is raising alarms in Washington D.C.

Investigators at the F.B.I, Homeland Security, and N.S.A. are currently looking into the incident which they say, according to the Wall Street Journal, was likely not the work of state-backed attackers.

H/T the Wall Street Journal | Photo via Pete Souza/Wikipedia