HHS removed Login from its grantee payment system after funding theft

The Department of Health and Human Services quietly removed federal government single sign-on tool Login.gov from its grantee payment platform in a bid to beef up security after hackers hauled away millions of dollars from multiple grant recipient organizations last year.

In February, HHS installed private sector tool ID.me for users to access its Payment Management System — which processes grant payments for government agencies — after thieves gained access to the platform, HHS confirmed to Nextgov/FCW. 

The thieves mimicked grantees with data from SAM.gov — the federal government’s system that manages contract award data — as well as publicly available information, allowing them to impersonate real employees at grant recipient organizations and change their banking information, HHS confirmed. Seven grantee organizations were affected.

The breach, which occurred between March 2023 and the end of that year, was first reported by Bloomberg News in January. The bad actors hauled away $7.5 million, though that number could grow as internal assessments of the incident continue.

Both HHS and the General Services Administration, which runs Login.gov, say that the identity system was not connected to the theft, and that none of its accounts were compromised. 

But the incident spurred HHS to require that any PMS login options include identity proofing capabilities, resulting in the removal of Login.gov and a two-factor authentication option that had previously been in place via vendor Twilio, a third party authentication tool. The Twilio tool allowed a user with access to a credentialed email or mobile account to obtain a one-time temporary password sent to a user’s device or email, according to the agency.

HHS runs the payment system as a shared service across government, including by the Departments of Homeland Security and Labor and the Pentagon. It’s billed as the largest grants payment and cash management system in the federal government, supporting over 30,000 grant recipient accounts worldwide. 

The new details of the theft, which have not been previously reported, further signal that the system was breached via social engineering techniques, according to a person with knowledge of the incident who spoke on the condition of anonymity because they were not authorized to publicly assess the matter.

According to HHS, because technical security controls weren’t bypassed, the agency deemed the incident a law enforcement matter rather than a cybersecurity incident, after it spoke with the Cybersecurity and Infrastructure Security Agency.

CISA, the FBI and HHS’s oversight office — who were notified of the Login.gov switch — declined to comment. The Office of Management and Budget was also notified and did not respond to multiple requests for comment. 

Sen. Bill Cassidy, R-La., the ranking lawmaker on the Senate Health, Education, Labor and Pensions committee, recently asked HHS to provide details to the panel about the incident, including grantees affected and what steps the agency has taken to recover the funds. 

“Americans trust the government to secure their taxpayer dollars against cyberattacks," Cassidy said in an emailed statement. "HHS’ lack of transparency to Congress and the public regarding this breach is deeply concerning. It not only undermines public trust, but suggests the administration is ill-equipped to protect patients against cyberattacks. It is crucial HHS work with Congress and stakeholders to ensure this kind of incident does not happen again.”

Why HHS dropped Login.gov

Although Login.gov accounts were not breached during the incident, HHS still opted to drop the system because of the hackers’ success, the HHS spokesperson said, as part of a move to add identity proofing to the payment system.

Login.gov had only been providing authentication services to the PMS system, according to GSA, although the deployment of two-factor authentication standards for PMS on Login.gov wasn’t fully enabled until July of last year, per HHS.

As for the change, the HHS spokesperson pointed to the fact that Login.gov does not currently meet certain standards set by the National Institute for Standards and Technology for digital identity proofing — identity assurance level 2, or IAL2 — meant to ensure that a user is not masquerading as someone else online.

ID.me, the new service being used for the PMS platform, offers IAL2-level identity proofing, according to the company’s website. 

The fact that Login.gov doesn’t meet NIST’s IAL2 standard was the subject of a bombshell watchdog report last year, which found that GSA misled other agencies about its compliance with the standard. GSA just last week announced plans to add facial recognition technology to the platform to help it meet that standard.

Some agencies, including the IRS, have hesitated to use the service due to its lack of IAL2-level identity proofing.

At HHS, the username and password combination for signing in to the PMS — a legacy holdover for individuals whose PIV or CAC cards had expired — was also removed as part of the efforts to require identity proofing, according to the HHS spokesperson. Now, the system requires either ID.me or a government PIV or CAC card to log in. 

HHS is leveraging its own federated identity platform — called the External User Management System, or XMS — to support the changes. That platform offers access to various credential service providers, including ID.me and a PIV or CAC option for government users outside of HHS.

As for the fate of Login.gov at the agency writ large, HHS said in a statement that it is also weighing other systems that require identity proofing to ensure they meet IAL2 standards.

“HHS is assessing all public facing systems to ensure that identity proofing for federal digital services provided to public consumers aligns with NIST guidance and government-wide [identity credential and access management] requirements,” an HHS spokesperson told Nextgov/FCW.  “HHS will continue to leverage Login.gov where appropriate and expand its use once it becomes capable of IAL2 identity proofing.”