Connecticut Husky Medicaid Portal: Credential Theft and Payment Diversion Attempt

Connecticut's Medicaid program confirmed that a hack of its Gainwell Technologies-operated "Husky" provider web portal exposed the personal data of 22,500 individuals as part of a thwarted scheme to reroute hospital reimbursement payments to cybercriminals. Hartford HealthCare disclosed the incident this week after attackers used compromised employee credentials to access the provider portal on March 4, 2026.

What Happened

Hartford HealthCare identified unusual activity on March 25, 2026, tied to accounts associated with the web portal that the Connecticut Department of Social Services requires Medicaid providers to use for claims submission and payment processing. The portal is hosted and maintained by Gainwell Technologies on behalf of the state's Medicaid program, branded as Husky.

Investigators determined the intrusion began on March 4, when attackers logged in using valid credentials belonging to Hartford HealthCare employees. The state government confirmed the breach affected approximately 22,500 individuals. The attackers' objective was financial: they attempted to reroute Medicaid reimbursements owed to the hospital system into accounts under their control. Gainwell stated that its security controls prevented any Medicaid funds from being transferred improperly, and no ransom demand was made.

What Was Taken

The attackers downloaded files containing patient information from the Husky provider portal. Exposed data elements include:

• Patient names
• Identification numbers tied to Hartford HealthCare accounts or Medicaid claims
• Services received and how they were billed
• Payment information, including amounts paid
• Information about applicable non-Medicaid health insurance coverage

Social Security numbers and financial account information were not exposed, as that data is not stored in the portal accessed by the attackers. Hartford HealthCare also confirmed that no patient information held by its own internal systems was implicated in the breach.

Why It Matters

This incident underscores a growing pattern: payment-diversion fraud targeting healthcare provider portals is no longer theoretical. Attackers are bypassing hardened hospital infrastructure entirely by targeting upstream payer and clearinghouse platforms, where a single set of compromised credentials can grant access to thousands of patient records and the financial workflow controlling reimbursement disbursement.

For Medicaid programs in particular, the volume of providers, the reliance on third-party administrators like Gainwell, and the predictable cadence of state reimbursement cycles make these portals high-value targets. The 22,500 affected individuals here are a fraction of the potential blast radius across the dozens of state Medicaid contractors operating similar architectures. The incident also reinforces that PHI breaches and financial fraud are increasingly intertwined attack objectives rather than separate threat models.

The Attack Technique

Gainwell stated that the root cause was the attacker's ability to compromise credentials that Hartford HealthCare employees used to log in to multiple payer portals, but declined to specify how the credentials were obtained. The reuse of credentials across "multiple payer portals" suggests either credential phishing targeting hospital revenue cycle staff, infostealer malware harvesting browser-stored credentials, or credential stuffing using previously leaked passwords.

The absence of multifactor authentication enforcement, or its bypass, is a likely contributing factor given that valid credentials alone were sufficient to authenticate, download bulk patient data, and attempt to modify payment routing instructions. The 21-day dwell time between initial access on March 4 and detection on March 25 indicates the portal lacked behavioral anomaly detection for high-volume file downloads or payment configuration changes.

What Organizations Should Do

Healthcare providers, state Medicaid agencies, and third-party administrators operating payer portals should take the following steps:

1. Enforce phishing-resistant MFA on all provider portal accounts, prioritizing FIDO2 or hardware tokens over SMS and push-based factors that are vulnerable to fatigue and interception attacks.
2. Deploy infostealer monitoring across hospital revenue cycle and billing staff endpoints, and subscribe to credential exposure feeds to detect stolen credentials before they are weaponized.
3. Implement behavioral analytics on portal sessions to flag anomalous activity such as bulk file downloads, off-hours logins, access from new geographies, or changes to payment routing details.
4. Require out-of-band verification for any changes to bank account or remittance routing configurations within payer portals, with a mandatory cooldown period before funds are disbursed to new accounts.
5. Segment portal credentials so that staff cannot reuse the same login across multiple payer or clearinghouse platforms, reducing the blast radius of any single credential compromise.
6. Audit vendor security posture for Medicaid administrators and clearinghouses, including review of logging, MFA enforcement, and incident notification timelines under HIPAA business associate agreements.

Sources: Connecticut Medicaid Portal Hack Affects Thousands