FB pixel

HHS removes Login.gov from grantee payment system after cyberattack

HHS removes Login.gov from grantee payment system after cyberattack

The U.S. Department of Health and Human Services has removed Login.gov from its grantee payment platform after a security breach in March of last year resulted in hackers stealing millions of dollars from seven different grantee organizations last year, according to Nextgov.

Using a combination of publicly available information and data from SAM.gov, the federal government’s system that manages award data, bad actors were able to impersonate employees at the organizations affected and changed their banking information in the system, successfully stealing $7.5 million.

In February, HHS installed ID.me in place of Login.gov and Twilio, a third party MFA provider, after the latter failed to protect against the breach. Because technical security controls weren’t bypassed, the agency didn’t categorize the act as a cybersecurity incident after speaking with the Cybersecurity and Infrastructure Security Agency, an HHS spokesperson says to Nextgov.

“HHS’ lack of transparency to Congress and the public regarding this breach is deeply concerning,” said Sen. Bill Cassidy in a written statement. “It not only undermines public trust, but suggests the administration is ill-equipped to protect patients against cyberattacks. It is crucial HHS work with Congress and stakeholders to ensure this kind of incident does not happen again.”

HHS and GSA both maintain that Login.gov was not connected to the theft, as the single sign-on system was only authenticating users for the PMS system. Still, two-factor authentication for the system wasn’t enabled until July of last year.

An HHS spokesperson noted that Login.gov doesn’t currently meet requirements to meet NIST IAL2, an identity proofing standard, while ID.me does. The IRS made the switch to ID.me last year for this reason.

GSA also announced it will add facial recognition to Login.gov in May to meet the NIST standard. Meanwhile, HHSs eliminated the username/password combination sign-in option, now requiring either ID.me or a government PIV or CAC card to sign-in, using its External User Management System (XMS), a federated identity platform.

“HHS is assessing all public facing systems to ensure that identity proofing for federal digital services provided to public consumers aligns with NIST guidance and government-wide [identity credential and access management] requirements,” said the HHS spokesperson to Nextgov.  “HHS will continue to leverage Login.gov where appropriate and expand its use once it becomes capable of IAL2 identity proofing.”

Login.gov awarded eight blanket purchase agreements to major identity proofing companies in March.

Related Posts

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News


Zighra behavioral biometrics contracted for Canadian government cybersecurity testing

Zighra has won a contract with Shared Services Canada (SSC) to protect digital identities with threat detection and Zero Trust…


Klick Labs develops deepfake detection method focusing on vocal biomarkers

The rise in deepfake audio technology has significant threats in various domains, such as personal privacy, political manipulation, and national…


Ford Motor patent filing for facial recognition vehicle entry system published

A patent filing from the Ford Motor Company for a facial recognition vehicle entry system has been published by the…


Real ID requirement finally set to take effect on May 7, 2025

Real ID is about to get real. As of May 2025, adults will no longer be able to use traditional…


MOSIP launches QR code spec for interoperable offline biometrics, ID authentication

MOSIP, the Modular Open Source Identity Platform, has introduced a standardized, interoperable QR code that enables offline authentication with face…


Zwipe partners to launch biometric access cards in 4 European countries

Plasticard-ZFT, a manufacturer specializing in plastic cards, smart cards, and ID media, has forged a partnership with Zwipe to introduce…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events