Attackers "used the front door," according to acting CMS CIO Rajiv Uppal, and had the ability to access a ton of PII.