The Colorado Department of Health Care Policy & Financing (HCPF) has notified over four million individuals about a data breach affecting their personal and health information. HCPF is a government agency responsible for managing Health First Colorado (Medicaid) and Child Health Plan Plus programs, aiding low-income families, the elderly, and citizens with disabilities.
The breach occurred due to the exploitation of a MOVEit Transfer zero-day vulnerability (CVE-2023-34362) by the Clop ransomware group in a global hacking campaign impacting numerous organizations. HCPF clarifies that their systems weren’t directly compromised, but rather the breach occurred through their contractor, IBM, which utilized the compromised MOVEit software.
“After IBM notified HCPF that it was impacted by the MOVEit incident, HCPF launched an investigation right away to understand whether the incident impacted its own systems, and to determine whether Health First Colorado or CHP+ members’ protected health information was accessed by an unauthorized party.” as per the notice by the company.
Upon learning of IBM’s impact by the MOVEit incident, HCPF promptly launched an investigation to ascertain whether the incident affected their systems and whether the personal health information of Health First Colorado or CHP+ members had been accessed. While HCPF’s own systems were found unaffected, the investigation revealed unauthorized access to certain HCPF files on the MOVEit application used by IBM. This unauthorized access occurred around May 28, 2023, and exposed specific data of Health First Colorado and CHP+ members.
The compromised information includes full names, Social Security Numbers (SSNs), Medicaid and Medicare ID numbers, birthdates, home addresses, contact details, income and demographic data, clinical information (diagnoses, lab results, treatments, medications), and health insurance information. This type of data exposes individuals to potential phishing, social engineering, identity theft, and bank fraud.
In total, the breach affected 4,091,794 individuals. To mitigate the impact, HCPF is offering two years of credit monitoring services through Experian for individuals affected by the breach.
This incident follows a similar breach by the Department of Higher Education (CDHE) in Colorado, which disclosed a ransomware attack impacting students and teachers. Although the CDHE confirmed the use of stolen data for double extortion and network encryption, they did not elaborate on how the hackers gained access.
Additionally, another institution, Colorado State University, revealed a breach resulting from its use of the vulnerable MOVEit Transfer software, affecting tens of thousands of students and academic staff in July 2023. These incidents underscore the growing challenges organizations face in securing sensitive data and safeguarding against ransomware attacks.