HHS removes Login.gov from grantee payment system after cyberattack

The U.S. Department of Health and Human Services has removed Login.gov from its grantee payment platform after a security breach in March of last year resulted in hackers stealing millions of dollars from seven different grantee organizations last year, according to Nextgov.

Using a combination of publicly available information and data from SAM.gov, the federal government’s system that manages award data, bad actors were able to impersonate employees at the organizations affected and changed their banking information in the system, successfully stealing $7.5 million.

In February, HHS installed ID.me in place of Login.gov and Twilio, a third party MFA provider, after the latter failed to protect against the breach. Because technical security controls weren’t bypassed, the agency didn’t categorize the act as a cybersecurity incident after speaking with the Cybersecurity and Infrastructure Security Agency, an HHS spokesperson says to Nextgov.

“HHS’ lack of transparency to Congress and the public regarding this breach is deeply concerning,” said Sen. Bill Cassidy in a written statement. “It not only undermines public trust, but suggests the administration is ill-equipped to protect patients against cyberattacks. It is crucial HHS work with Congress and stakeholders to ensure this kind of incident does not happen again.”

HHS and GSA both maintain that Login.gov was not connected to the theft, as the single sign-on system was only authenticating users for the PMS system. Still, two-factor authentication for the system wasn’t enabled until July of last year.

An HHS spokesperson noted that Login.gov doesn’t currently meet requirements to meet NIST IAL2, an identity proofing standard, while ID.me does. The IRS made the switch to ID.me last year for this reason.

GSA also announced it will add facial recognition to Login.gov in May to meet the NIST standard. Meanwhile, HHSs eliminated the username/password combination sign-in option, now requiring either ID.me or a government PIV or CAC card to sign-in, using its External User Management System (XMS), a federated identity platform.

“HHS is assessing all public facing systems to ensure that identity proofing for federal digital services provided to public consumers aligns with NIST guidance and government-wide [identity credential and access management] requirements,” said the HHS spokesperson to Nextgov.  “HHS will continue to leverage Login.gov where appropriate and expand its use once it becomes capable of IAL2 identity proofing.”

Login.gov awarded eight blanket purchase agreements to major identity proofing companies in March.

Article Topics

cybersecurity  |  digital identity  |  IAL2  |  ID.me  |  Login.gov  |  multifactor authentication  |  U.S. Government