The state Department of Social Services issued a notice late last week about a data breach involving Connecticut’s HUSKY Medicaid program, saying it exposed the personal information of approximately 22,500 people.
Already a Subscriber? Log in
Get Instant Access to This Article
Subscribe to Hartford Business Journal and get immediate access to all of our subscriber-only content and much more.
- Critical Hartford and Connecticut business news updated daily.
- Immediate access to all subscriber-only content on our website.
- Bi-weekly print or digital editions of our award-winning publication.
- Special bonus issues like the Hartford Book of Lists.
- Exclusive ticket prize draws for our in-person events.
Click here to purchase a paywall bypass link for this article.
The state Department of Social Services issued a notice late last week about a data breach involving Connecticut’s HUSKY Medicaid program, saying it exposed the personal information of approximately 22,500 people.
According to DSS, an unauthorized third party gained access to several Hartford HealthCare-linked accounts on a state provider portal.
The breach occurred within the HUSKY provider portal operated by DSS contractor Gainwell Technologies, not within Hartford HealthCare’s own systems, state officials and the health system said.
DSS and Gainwell disclosed Friday that they learned on March 25 that the unauthorized third party had accessed a small number of Hartford HealthCare payment accounts on the portal and downloaded files containing patient information.
An investigation found the intruder used compromised Hartford HealthCare employee credentials to access the accounts on March 4. The activity appeared to be financially motivated rather than an effort to obtain patient data, state officials said.
DSS and Gainwell said they immediately secured the affected portion of the portal, terminated the unauthorized access, notified law enforcement and launched an investigation using outside cybersecurity experts.
Investigators determined the attack had been contained and the unauthorized user no longer had access to the system.
The exposed information varied by individual but collectively included names, identification numbers associated with Hartford HealthCare accounts or Medicaid claims, dates of medical services, details about services received and billing information, payment amounts and information related to non-Medicaid health insurance coverage, including policy and group numbers.
Officials said neither Social Security numbers nor financial account information were exposed because that data is not stored within the affected system.
In a statement, HHC emphasized that none of its own systems, portals or websites were compromised.
HHC officials said they detected unusual activity involving accounts associated with the Medicaid claims and payment portal and alerted both DSS and Gainwell.
HHC noted that the portal is hosted and maintained by Gainwell on behalf of the state and is required for Medicaid providers to submit claims and receive payments.
DSS and Gainwell began notifying affected individuals by mail on May 22. The notice includes offers of credit monitoring, identity monitoring and fraud support services. Affected individuals can obtain additional information through a dedicated call center established for the incident at 1-855-744-4488.
