Cyber Incident Victim: Gainwell Technologies
Date:
Oct 2020
Location:
United States of America
Summary
An unauthorized individual accessed an account associated with Wisconsin’s Medicaid program, potentially compromising participant information including names, member identification numbers, and billing codes for services. The incident involved Gainwell Technologies, which separately faced a distinct issue around the same period involving mismailings in another state’s Medicaid program.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 29, 2020, Gainwell Technologies disclosed an unauthorized individual accessed an account associated with Wisconsin’s Medicaid program. The breach occurred when the unauthorized party obtained entry to a system containing participant information, potentially compromising names, Medicaid member identification numbers, and billing codes corresponding to services received. The company did not specify the exact duration of unauthorized access or the number of affected individuals but confirmed the incident involved Wisconsin Medicaid beneficiaries. Gainwell Technologies, a contractor supporting Medicaid administrative services, publicly announced the incident through a formal release, though technical details regarding the intrusion method or initial detection mechanisms were not disclosed. The compromised billing codes could have revealed sensitive healthcare service details linked to individual participants, though medical records, Social Security numbers, and financial account information were not explicitly cited as exposed in this event.
The breach represented the second cybersecurity incident involving Gainwell Technologies around this period, following a separate TennCare (Tennessee Medicaid) breach involving mismailings of personal data. Gainwell clarified the Wisconsin incident was unrelated to the Tennessee matter, which involved physical document errors rather than unauthorized system access. No evidence suggested the Wisconsin breach resulted from a coordinated campaign or targeted attack. Gainwell did not describe specific containment measures, forensic findings, or post-incident notifications beyond its initial disclosure. The company’s release emphasized the potential exposure of limited participant data but did not confirm malicious misuse of information or detail remediation steps offered to affected individuals. Wisconsin Medicaid participants were left with unresolved questions regarding the breach’s full scope and the adequacy of safeguards for their protected health information.