A threat actor used compromised credentials to access Hartford HealthCare’s payment accounts on the Connecticut Medicaid provider portal and exfiltrated records belonging to approximately 22,500 Medicaid patients. The attack exploited valid account access and insufficient access controls on the provider portal rather than a software vulnerability. The risk to other healthcare organizations lies in inadequate credential hygiene and missing MFA on externally accessible government healthcare portals.