Connecticut Medicaid Portal Breach Exposes 22,500 Patients After Credential Theft

TL;DR: On March 25, Connecticut officials confirmed that a hacker accessed the Medicaid provider portal using stolen Hartford HealthCare credentials, exposing data for 22,500 patients. Notification letters went out May 22, offering credit and identity monitoring.

Context: The breach occurred when attackers used compromised employee logins to enter the Hartford HealthCare portal on the Connecticut Medicaid (HUSKY) system. Initial unauthorized activity was detected on March 4, but the intrusion was not identified until March 25 by the Department of Social Services and its fiscal agent Gainwell Technologies. Investigators said the activity appeared financially motivated and did not target Social Security numbers or bank details.

Key Facts: Approximately 22,500 Medicaid patients had personal information viewed or downloaded. Exposed fields included full name, Hartford HealthCare or Medicaid claim ID, dates of service, description of services billed, payment amounts, and non‑Medicaid insurance policy and group numbers. No Social Security numbers, credit card numbers, or bank account data were stored in the accessed portal, so those elements were not compromised. The attacker’s access was terminated after discovery, and external cybersecurity experts confirmed the environment was contained.

What It Means: The incident highlights the risk of credential‑based attacks on health‑care portals that lack multi‑factor authentication. Defenders should enforce MFA for all remote access, rotate passwords for privileged accounts, and monitor login attempts for impossible travel or unusual geographic patterns (MITRE ATT&CK T1078). Applying the principle of least privilege and segmenting the provider portal from internal networks can limit lateral movement. Organizations should also review CISA’s Advisory AA23‑001A on securing remote desktop services and consider deploying UEBA tools to detect anomalous account use. Affected individuals received mail notifications beginning May 22 and were offered free credit and identity monitoring; a hotline (1‑855‑744‑4488) remains open for questions.

What to watch next: State officials plan to publish a post‑incident report detailing additional security upgrades, and federal agencies may scrutinize compliance with HIPAA’s breach notification rule; stakeholders should monitor for any follow‑up phishing campaigns targeting Hartford HealthCare employees.