The federal health insurance website was breached on July 8 but no consumer information was taken, according to the Wall Street Journal.
However hackers installed software that could have been used to launch attacks on other websites, HHS officials told the newspaper.
The U.S. Department of Homeland Security confirmed the attack was confined to a single server that had been used for testing and contained no personal information such as names or Social Security numbers. The component did not have a firewall or intrusion detection software.
The intrusion was detected August 25 during a manual scan of system records by technicians, according to HHS.
HHS says the federal insurance portal did not appear to be specifically targeted. Instead, the agency believes, hackers were probing various government websites looking for potential weaknesses.
Hacking of government websites is common, HHS acknowledges. The July incident is believed to be the first successful intrusion into healthcare.gov.