Rewterz Threat Update – 4 Million Individuals Warned of Data Breach in Colorado Following IBM MOVEit Incident

Severity

High

Analysis Summary

The Colorado Department of Health Care Policy & Financing (HCPF) has notified over four million individuals about a data breach affecting their personal and health information. HCPF is a government agency responsible for managing Health First Colorado (Medicaid) and Child Health Plan Plus programs, aiding low-income families, the elderly, and citizens with disabilities.

The breach occurred due to the exploitation of a MOVEit Transfer zero-day vulnerability (CVE-2023-34362) by the Clop ransomware group in a global hacking campaign impacting numerous organizations. HCPF clarifies that their systems weren’t directly compromised, but rather the breach occurred through their contractor, IBM, which utilized the compromised MOVEit software.

“After IBM notified HCPF that it was impacted by the MOVEit incident, HCPF launched an investigation right away to understand whether the incident impacted its own systems, and to determine whether Health First Colorado or CHP+ members’ protected health information was accessed by an unauthorized party.” as per the notice by the company. 

Upon learning of IBM’s impact by the MOVEit incident, HCPF promptly launched an investigation to ascertain whether the incident affected their systems and whether the personal health information of Health First Colorado or CHP+ members had been accessed. While HCPF’s own systems were found unaffected, the investigation revealed unauthorized access to certain HCPF files on the MOVEit application used by IBM. This unauthorized access occurred around May 28, 2023, and exposed specific data of Health First Colorado and CHP+ members.

The compromised information includes full names, Social Security Numbers (SSNs), Medicaid and Medicare ID numbers, birthdates, home addresses, contact details, income and demographic data, clinical information (diagnoses, lab results, treatments, medications), and health insurance information. This type of data exposes individuals to potential phishing, social engineering, identity theft, and bank fraud.

In total, the breach affected 4,091,794 individuals. To mitigate the impact, HCPF is offering two years of credit monitoring services through Experian for individuals affected by the breach.

This incident follows a similar breach by the Department of Higher Education (CDHE) in Colorado, which disclosed a ransomware attack impacting students and teachers. Although the CDHE confirmed the use of stolen data for double extortion and network encryption, they did not elaborate on how the hackers gained access.

Additionally, another institution, Colorado State University, revealed a breach resulting from its use of the vulnerable MOVEit Transfer software, affecting tens of thousands of students and academic staff in July 2023. These incidents underscore the growing challenges organizations face in securing sensitive data and safeguarding against ransomware attacks.

Impact

• Personal Identifiable Information (PII) Disclosure
• Unauthorized Access
• Sensitive Data Exposure

Indicators of Compromise

CVE

CVE-2023-34362

Affected Vendor

MOVEit

Affected Product

• Progress MOVEit Transfer 13.0.5
• Progress MOVEit Transfer 13.1.3
• Progress MOVEit Transfer 14.0.3
• Progress MOVEit Transfer 14.1.4
• Progress MOVEit Transfer 15.0.0

Remediation

• Refer to Progress Web site for patch, upgrade or suggested workaround information.
• Immediately apply security patches and updates to all software systems, including third-party applications like MOVEit Transfer, to eliminate vulnerabilities and reduce the risk of future exploits.
• Conduct thorough security assessments and due diligence when engaging third-party contractors and vendors, ensuring that their systems adhere to stringent security standards.
• Educate employees and contractors about social engineering, phishing, and other tactics used in cyberattacks, empowering them to recognize and report suspicious activities.
• Implement advanced email filtering and anti-phishing solutions to prevent malicious emails containing malware or harmful links from reaching recipients.
• Continuously monitor security research and sources to promptly identify and address zero-day vulnerabilities
• Implement network segmentation to compartmentalize sensitive data and critical systems, limiting lateral movement in case of a breach.
• Enforce MFA for accessing sensitive systems and applications, adding an extra layer of protection against unauthorized access.
• Deploy EDR solutions to monitor endpoints for suspicious activities, allowing for rapid response to potential breaches.
• Develop and regularly update an incident response plan outlining specific steps to take when a breach is detected, including communication, containment, and recovery.
• Conduct regular security audits and assessments of third-party vendors and contractors to ensure compliance with security best practices.
• Review and minimize the collection and retention of sensitive data, reducing the potential impact of a breach.
• Maintain up-to-date backups of critical data and regularly test the restoration process to ensure data availability in case of a breach or system failure.
• Ensure compliance with relevant data protection and privacy regulations, as well as industry-specific standards.
• Implement continuous network and system monitoring to promptly detect and respond to any abnormal activities.
• Train employees and contractors on security best practices, emphasizing the importance of handling sensitive information securely.