Credential theft exposes 22k Medicaid patients in HUSKY portal breach

The Connecticut Department of Social Services and Gainwell Technologies disclosed a data security incident involving the HUSKY provider portal. The website used in connection with Connecticut’s Medicaid program. Gainwell provides fiscal agent and account administration services for HUSKY, which DSS administers.

What happened

According to the May 22, 2026, notice, DSS and Gainwell learned on March 25, 2026, that an unauthorized third party had accessed a small number of Hartford HealthCare payment accounts on the provider portal and downloaded files containing patient information. The investigation found the activity began on March 4, 2026, after the threat actor used compromised Hartford HealthCare employee credentials to enter Hartford HealthCare user accounts on the portal. DSS and Gainwell brought in external cybersecurity experts, coordinated with federal law enforcement, secured the affected part of the environment, and terminated the unauthorized access.

Investigators later confirmed that they had contained the incident and that the third party no longer had access to the portal. Although investigators viewed the activity as financially motivated rather than patient-data focused, the exposed files included information tied to about 22,500 people. The information varied by individual but could include names, Hartford HealthCare account or Medicaid claim identification numbers, dates of medical services, services received, billing information, payment amounts, and non-Medicaid insurance details, such as policy and group numbers.

The problem with patient portals

Paubox has covered the problem with patient portals, but a case that stood out was the 2024 Ascension breach. The cyberattack was an example of how quickly digital access problems can spill into care delivery, with electronic records and MyChart taken offline during the response. The issue is that portals concentrate useful data, depend heavily on identity controls, and often connect providers, business associates and patients in one workflow. When credentials fail, the portal becomes an entry point for threat actors to gain access to a wealth of data.

What was said

The notice of security incident stated, “Through the investigation, DSS and Gainwell determined that the unauthorized activity began when the threat actor used compromised credentials of Hartford HealthCare employees to access Hartford HealthCare user accounts on the provider portal on March 4, 2026.”

Why it matters

The DSS and Gainwell incident is an example of how exposed credentials can create risk far beyond a single login. The attacker did not need to break into every connected system. Access to Hartford HealthCare user accounts on the HUSKY provider portal was enough to reach payment-related files tied to Medicaid claims, care dates, billing activity, and insurance details. A 2026 healthcare cybersecurity review explains the risk clearly: “Compromised insider threats occur when attackers hijack legitimate user credentials,” allowing external actors to appear like trusted users inside healthcare systems.

Even without Social Security numbers or financial account data, details can make follow-up phishing and patient-targeted scams more convincing. A good example is the Change Healthcare cyberattack, which showed how stolen credentials can turn one trusted access point into a national healthcare disruption. The breach therefore raises a larger healthcare security issue as credential theft can turn a legitimate account into a quiet access point across portals, vendors, providers, and payment systems.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

When does federal law enforcement have to be notified of a data breach?

HIPAA does not create a blanket duty to notify federal law enforcement for every breach, but covered entities must notify HHS/OCR for breaches of unsecured protected health information (PHI).

Why is breach containment so necessary?

Containment stops ongoing unauthorized access, limits how much PHI can be viewed or downloaded, preserves evidence for investigation, and helps the organization determine who must be notified under HIPAA.

How do vendor breaches affect covered entities?

A vendor breach can trigger HIPAA obligations for the covered entity because business associates must notify the covered entity after discovering the breach.