HHS Removes Login.gov Amid Cybersecurity Concerns Following $7.5M Breach

The U.S. Department of Health and Human Services (HHS) has stopped using Login.gov for payments due to a security breach where hackers stole $7.5 million.

HHS switched to ID.me in February for the Payment Management System (PMS), which is responsible for processing government grant payments. The change came after thieves took advantage of the system, posing as beneficiaries and manipulating their banking details using information available to the public at SAM.gov. After talking to the Cybersecurity and Infrastructure Security Agency (CISA), HHS confirmed that a security breach is considered a law enforcement action, not a cybersecurity problem, even though their security measures are still working.

Login.gov’s Role and Replacement

According to Nextgov, HHS and the General Services Administration (GSA) insist that Login.gov was not compromised or linked to the theft, the breach has prompted HHS to tighten its security measures. This has removed Login.gov and the previous two-factor authentication via Twilio, a third-party authentication tool.

Sen. Bill Cassidy, R-La., expressed concern over HHS’s transparency that

“Americans trust the government to secure their taxpayer dollars against cyberattacks. HHS’ lack of transparency undermines public trust and suggests the administration is ill-equipped to protect patients against cyberattacks.”

Transitioning to NIST’s IAL2 Standard

As Login.gov could not meet National Institute of Standards Technology (NIST) Identity Assurance Level 2 (IAL2) standards, HHS switched to ID.me for strong identity authentication.

HHS also implemented a federal identity platform, the External User Management System (XMS), which supports multiple credential providers including ID.me and government-issued PIV or CAC cards This change simplifies the registration process and requires a national ID .me or PIV/CAC compatible card slots.

An HHS spokesperson said:

“HHS is assessing all public facing systems to ensure that identity proofing for federal digital services provided to consumers aligns with NIST guidance and government-wide [identity credential and access management] requirements. HHS will continue to leverage Login.gov where appropriate and expand its use once it becomes capable of IAL2 identity proofing.”

Future Outlook

Additionally, Login.gov recently warded eight blanket purchase agreements with major identity verification companies, demonstrating the federal government’s commitment to meeting and returning to evolving security standards has started its activities in the country’s digital infrastructure.

Looking ahead, HHS is reviewing its public programs to ensure compliance with NIST standards and federal requirements. The agency plans to redesign Login.gov to meet the IAL2 identity proofing standard.