Back to news
Cybersecurity Alert
July 12, 2026 by EmailMeNow IT Consulting

Texas Medicaid Providers Must Move to TMHP IAMOnline MFA Before August 3, 2026

TMHP Release 3 moves Custom Reports, MCP, Document Uploads, and more into IAMOnline with required MFA on August 3, 2026. Audits score tmhp.com at 74% and hhs.texas.gov at 58% vs a 100% domain-security ideal — activation emails are a prime phishing window.

Source: Texas Medicaid & Healthcare Partnership (TMHP)

NewsTexasHealthcareMFAMedicaidTMHPCybersecurity
Texas Medicaid provider setting up multi-factor authentication for TMHP portal access

Texas is tightening the front door to Medicaid provider portals. Effective August 3, 2026, the Texas Medicaid & Healthcare Partnership (TMHP) will move more online applications onto TMHP IAMOnline — a single sign-on platform that requires multi-factor authentication (MFA) for Texas Medicaid providers.

TMHP’s June 12 notice (last updated July 3, 2026) frames Release 3 as the next step in making IAMOnline the secure entry point for apps on tmhp.com. For clinics and billing offices, this is a security upgrade — and a phishing risk window, because account activation depends on official emails and time-limited links.

Official source: New Login Process for All Texas Medicaid Providers Through TMHP IAMOnline

At a Glance

FactDetail
What changesMore TMHP apps move to IAMOnline SSO
EffectiveAugust 3, 2026 (Release 3)
WhoAll Texas Medicaid providers using TMHP portals
MFARequired on IAMOnline login
Default MFAEmail-based (automatic enrollment)
Optional MFA appsOkta Verify or Google Authenticator
Activation emailsSent June 8 and June 15, 2026 (7-day window)
Missed activation?Call EDI Help Desk 888-863-3638 to resend

Apps Moving in Release 3 (August 3, 2026)

ApplicationNotes
Custom ReportsTransitions to IAMOnline
Medicaid Client Portal (MCP)Transitions to IAMOnline
Document UploadsTransitions to IAMOnline
Provider Message DashboardTransitions to IAMOnline
My AccountTransitions to IAMOnline

TMHP says later articles will announce dates for remaining portal apps. Until an app is integrated, the new login process applies only to apps already on IAMOnline.

What Providers Must Do

StepActionDeadline
1Open the official TMHP IAMOnline activation emailWithin 7 days of receipt
2Activate the account, set a password, and register MFASame 7-day window
3Use the My Apps dashboard for transitioned applicationsAfter activation
4If both June emails were missedCall EDI Help Desk 888-863-3638 for a resend

Important: Providers who already have HHSC IAMOnline access for STEPS still must activate a separate TMHP IAMOnline account to reach TMHP applications.

Apps not yet on IAMOnline

Use the existing login process with your current My Account username and the new password created during TMHP IAMOnline activation.

Illustration: multi-factor authentication setup with phone authenticator beside a healthcare portal

MFA Options TMHP Supports

MethodHow it works
Email MFAAutomatic enrollment when you activate
Okta VerifyOptional app from Apple App Store / Google Play
Google AuthenticatorOptional app; set up via QR code or sign-in URL

Email-only MFA is better than passwords alone, but authenticator apps are generally stronger against inbox takeover. Prefer adding Okta Verify or Google Authenticator when staff phones are managed.

Why This Matters for Cybersecurity

Requiring MFA on Medicaid portals closes a long-standing gap: stolen passwords alone should no longer open billing, client, and document tools. The flip side is operational and social-engineering risk during the cutover.

RiskWhy it spikes now
Fake “TMHP activation” emailCriminals copy official MFA enrollment language
Lookalike IAMOnline login pagesCredential + MFA prompt harvesting
Help-desk impersonationAttackers pose as EDI support after missed June emails
Shared clinic passwordsMFA breaks shared logins — plan named accounts now
Dual portals (TMHP + HHSC STEPS)Staff confuse which IAMOnline account to use

Illustration: legitimate MFA activation email versus a fake lookalike portal login

Practical rule: Bookmark the official TMHP site from a known good source. Do not click activation links from unexpected forwards. If unsure, call the EDI Help Desk number published by TMHP — not a number in a cold email.

Independent Domain Security Audits — July 12, 2026

We scanned domains providers will touch during this transition. 100% is the ideal score for domain security.

OrganizationDomainOverallIdentityTransportWebsiteRisk
TMHPtmhp.com74%65%15%92%Good
Texas.govtexas.gov61%75%45%45%Above Average
Okta (MFA vendor)okta.com60%65%15%45%Above Average
HHSChhs.texas.gov58%25%15%92%Average

Key findings:

  • tmhp.com leads this set at 74% with strong Website (92%) and Email Infrastructure (100%), but Transport stays at 15% — a recurring gap that makes spoofed “official” mail easier to deliver.
  • hhs.texas.gov scores 58% with only 25% Identity — relevant because STEPS/HHSC IAMOnline users must still activate a separate TMHP account and may receive mixed government emails.
  • okta.com at 60% is still below the 100% ideal; treat MFA-app download prompts carefully and use only Apple App Store / Google Play.

Audit links:

Website Stack Probe — July 12, 2026

Passive stack checks of the same domains:

DomainPlatformNotable finding
tmhp.comDrupal 10Major version behind current Drupal 11; TLS valid (~41 days remaining at check time)
hhs.texas.govDrupal 11On Drupal 11 but behind latest patch line (11.4.2)
texas.govNot publicly fingerprintableTLS valid
okta.comNot publicly fingerprintableTLS valid

Drupal 10 on tmhp.com is not the same as unsupported PHP end-of-life, but it is a public signal that the Medicaid portal stack is not on the newest major CMS line — worth tracking alongside the MFA rollout.

Priority Actions for Texas Providers

  1. Confirm every billing/admin user has an activated TMHP IAMOnline account before August 3, 2026.
  2. Add Okta Verify or Google Authenticator on top of email MFA where possible.
  3. Train staff to verify TMHP emails — activation and MFA prompts are high-value phishing bait.
  4. Separate TMHP IAMOnline from HHSC/STEPS IAMOnline credentials in password managers.
  5. Call 888-863-3638 only from TMHP’s published number if activation emails were missed.

Sources: TMHP — New Login Process / IAMOnline MFA (Release 3) · EDI Help Desk 888-863-3638