Likelihood: HIGH
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Credential compromise on a government Medicaid portal has already resulted in confirmed data download of 22,500 patient records, meaning the threat is not theoretical — exposure is established and the attack vector (stolen credentials against an externally accessible provider portal) is low-sophistication and repeatable; impact is high because the breach involves PHI tied to a vulnerable Medicaid population, triggering mandatory HIPAA breach notification, probable OCR investigation, Connecticut state privacy enforcement, and reputational harm concentrated on a protected demographic.
Treatment rationale: The breach is confirmed and notification obligations are already in motion, so avoidance is moot; the residual risk of repeat credential compromise and regulatory escalation must be actively reduced through immediate access control hardening, MFA enforcement on the portal, and credential hygiene remediation — transfer alone is insufficient given the regulatory exposure that insurance does not extinguish.
Third-Party / Supply-Chain Risk
Hartford HealthCare operates as a covered entity accessing a state-administered Medicaid provider portal (Connecticut third-party platform); NIST SP 800-161 supply-chain risk applies in that the organization's data security posture is partially dependent on the access-control architecture of the state portal operator — if the portal lacks compensating controls (MFA enforcement, session monitoring, anomalous-download detection), Hartford HealthCare cannot unilaterally close those gaps and must treat the portal operator as an external dependency risk requiring formal third-party risk assessment and escalation to the Connecticut Medicaid program office.
Loss Exposure (illustrative)
Magnitude: High — illustrative $1.5M–$4M
Frequency: Single confirmed event; recurrence likelihood elevated while credential hygiene and portal access controls remain unaddressed — illustrative 1-in-2 probability of a related credential incident within 24 months if root cause is not fully remediated.
Annualized: Illustrative ALE: $750K–$2M annualized, weighted by single-event magnitude and near-term recurrence probability pending remediation.
Basis: Loss magnitude derived from four cost drivers specific to this incident: (1) mandatory HIPAA breach notification for 22,500 individuals — per-record notification, call-center, and credit-monitoring costs for a population of this size; (2) OCR investigation response and potential civil monetary penalties, which for HIPAA violations involving PHI of a vulnerable population can range from low five figures to high six figures per violation category; (3) Connecticut state enforcement action and potential AG investigation costs; (4) reputational harm and patient-relations costs compounded by Medicaid population sensitivity. No industry benchmark reports cited. Recurrence probability reflects the known attack vector (credential abuse against an accessible portal) remaining exploitable until MFA and access controls are enforced.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• PHI exposure affecting 22,500 individuals may invoke HIPAA breach notification obligations and OCR investigation — verify scope and timeline requirements with counsel.
• Connecticut state privacy law (Conn. Gen. Stat. § 36a-701b and related statutes) may impose independent breach notification obligations — verify applicability and deadlines with counsel.
• Incident scope and confirmed data download may trigger cyber-insurance notice obligations under the policy's reporting window — verify with broker immediately.
• Medicaid provider agreement with the Connecticut Department of Social Services may contain breach reporting and data-handling clauses with contractual penalties — verify with counsel.
