The Office of the Inspector General of HHS has released a report on penetration testing conducted on the Indian Health Services (IHS) network in June 2013. The testing was conducted, in part, because in its 2011 audit of IT general network controls, OIG found deficiencies that could allow attackers to gain access to the IHS network and potentially to the US Dept. of Health and Human Services network.
From the executive summary of their penetration testing, and using NIST 800-30 standards for characterizing risk, OIG found:
We were able to gain unauthorized access to an IHS Web server, which allowed us to access the internal IHS network and obtain user account and password data on the system, including user names and passwords to IHS databases (High Risk).
We were able to take control of an IHS computer, which allowed access to the computer’s resources, including records in the file system (Medium Risk).
You can access the full report on the OIG’s site (pdf), although specific detailed findings are not included in the public document due to their sensitivity.