Connecticut Medicaid (HUSKY): Credential Compromise Exposes 22,500 Enrollees

"The Connecticut Department of Social Services (DSS) has confirmed a security breach affecting roughly 22,500 enrollees in the state's Medicaid program, known as HUSKY. According to DSS and its fiscal agent Gainwell…"

The Connecticut Department of Social Services (DSS) has confirmed a security breach affecting roughly 22,500 enrollees in the state's Medicaid program, known as HUSKY. According to DSS and its fiscal agent Gainwell Technologies, an unauthorized third party leveraged compromised Hartford HealthCare employee credentials to access the HUSKY provider portal and exfiltrate files containing patient information. The intrusion was discovered on March 25, 2026, three weeks after the initial access on March 4.

What Happened

On March 4, 2026, a threat actor used compromised credentials belonging to Hartford HealthCare (HHC) employees to log into HHC user accounts on the HUSKY provider portal, a website administered by DSS through fiscal agent Gainwell Technologies. The intruder accessed a small number of Hartford HealthCare payment accounts and downloaded files containing patient information.

The unauthorized activity went undetected for three weeks. DSS and Gainwell were alerted on March 25, at which point they revoked the third party's access, secured the provider portal, and engaged external cybersecurity experts. The investigation was conducted in coordination with federal law enforcement. Notifications to affected individuals went out by postal mail beginning May 22, 2026, roughly two months after discovery.

External investigators concluded that the attack was financially motivated rather than an effort to target patient data specifically, suggesting a broader fraud or resale objective consistent with credential-driven healthcare intrusions.

What Was Taken

Approximately 22,500 HUSKY enrollees had personal information exposed. Per the DSS statement, the impacted information varied by individual but could include:

Full name
Hartford HealthCare and Medicaid account or claim information numbers
Dates of medical service
Payment information
Non-Medicaid health insurance information, including policy and group numbers

Notably, DSS stated that Social Security numbers and financial account numbers were not stored in the affected system and were not involved in the incident. Affected individuals are being offered credit monitoring, identity monitoring, and fraud support services.

Why It Matters

This breach illustrates a recurring pattern in healthcare ecosystems: the weakest link is rarely the program operator itself, but a downstream provider with portal access. State Medicaid programs, by design, expose claims and eligibility data to thousands of provider organizations, and any one of them becoming a credential reuse or phishing victim can put hundreds of thousands of beneficiaries at risk.

The 21-day dwell time between initial access (March 4) and detection (March 25) is also significant. For an attacker focused on bulk file download, three weeks is more than enough to enumerate accounts, identify high-value records, and stage exfiltration. The financial motivation flagged by investigators raises the likelihood that the stolen data will surface in fraud schemes targeting health insurance billing, medical identity theft, or resale on criminal markets, even without Social Security numbers in the mix.

The Attack Technique

The intrusion vector was credential compromise. Hartford HealthCare employee credentials, valid for the HUSKY provider portal, were obtained by the threat actor through means not yet publicly disclosed. Common precursors in similar healthcare incidents include phishing, infostealer malware on personal or corporate endpoints, password reuse against credential dumps, and MFA fatigue or bypass attacks.

Once authenticated, the attacker operated within the legitimate user session of HHC payment accounts and downloaded patient information files directly from the portal interface. There is no public indication that lateral movement extended beyond Hartford HealthCare's authorized portal scope, nor that backend systems holding Social Security or financial account data were touched. The attack appears to have stayed entirely within the boundaries of what the compromised accounts were authorized to access, which is precisely why it evaded detection for three weeks.

What Organizations Should Do

Enforce phishing-resistant MFA on provider portals. SMS and push-based MFA are routinely defeated; deploy FIDO2 or certificate-based authentication for any portal handling PHI or claims data at scale.
Monitor for anomalous bulk download behavior. Implement portal-side telemetry that flags volumetric file downloads, off-hours access, and impossible-travel logins. Three-week dwell time is a detection failure, not an attacker skill issue.
Audit third-party credential hygiene. Program operators should require connected provider organizations to attest to MFA enforcement, infostealer monitoring, and credential rotation cadence, with contractual right to audit.
Segment portal access by least privilege. Limit what any single provider account can enumerate or export. Cap bulk download volume and require justification or step-up authentication for large pulls.
Deploy session anomaly detection. Behavioral analytics on authenticated sessions can catch attackers operating with valid credentials, where signature-based controls cannot.
Run dark web and infostealer log monitoring for partner credentials. Stealer logs frequently contain corporate credentials for weeks before they are weaponized; proactive monitoring closes that window.

Sources: Officials: Cyber Attacker Downloaded Info Of 22,500 CT Medicaid Users | CT News Junkie