Colorado Department of Health Care Policy & Financing (HCPF) has suffered a MOVEit data breach impacting 4 million individuals. HCPF oversees Health First Colorado (Medicaid), Child Health Plan Plus (CHP+), and other state healthcare programs.
The state agency said the breach stemmed from its technology partner IBM which utilized Progress Software’s MOVEit managed file transfer application impacted by the May 31, 2023 zero-day vulnerability CVE-2023-34362.
“IBM, a third-party vendor contracted with HCPF, uses the MOVEit application to move HCPF data files in the normal course of business,” said HCPF.
After discovering it was impacted by the MOVEit incident, HCPF responded by launching an investigation into whether threat actors accessed Health First Colorado or CHP+ members’ protected health information.
Colorado department of health care’s MOVEit data breach leaked PII and PHI
HCPF’s investigation determined that the MOVEit data breach leaked sensitive data but did not compromise the state agency’s internal systems.
“While HCPF confirmed that no other HCPF systems or databases were impacted, on June 13, 2023, the investigation identified that certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor on or about May 28, 2023,” Colorado Department of Health Care Policy & Financing disclosed.
IBM has yet to publicly acknowledge the MOVEit data breach, which also impacted Missouri’s Department of Social Services (DSS).
However, the tech giant told Missouri’s DSS it had applied the recommended fixes and temporarily halted the software to investigate the MOVEit data breach.
“It appears that IBM did the right thing by notifying them; however, since Colorado Health Care systems didn’t appear to be involved, and the data was leaked – likely as part of normal operations procedures in good faith with their service provider – there are limited ways they could have prevented this event,” noted Jim Kelly, RVP, Endpoint Security at Tanium.
Meanwhile, HCPF confirmed threat actors accessed extensive personal, demographic, and protected health care data. Information leaked includes full name, Social Security number, Medicaid ID number, Medicare ID number, date of birth, home address and other contact information, demographic or income information, clinical and medical information (such as diagnosis/condition, lab results, medication, or other treatment information), and health insurance information.
Although the data breach does not appear to have exposed financial information such as credit card numbers, hackers could use the leaked PII to craft convincing spear phishing messages and extract more information.
“Healthcare providers stand to experience some of the worst consequences of these breaches, as they manage extensive amounts of sensitive personal and health information about staff, members, and patients,” said Zane Bond, Head of Product at Keeper Security.
According to a data breach notification filed with the Office of the Maine Attorney General, the Colorado Department of Health Care began notifying in writing 4,091,794 victims on August 11.
Additionally, the state agency is offering potentially impacted individuals two years of free credit monitoring and identity restoration services provided through Experian.
The Department of Health Care also advised the victims to monitor their accounts, report any unauthorized activity, and place a free credit freeze if necessary to protect themselves from identity theft and fraud.
HCPF is also reviewing its cybersecurity policies and practices to prevent similar data breaches in the future.
MOVEit data breach at service provider may lead to more victims
“Indeed, the MOVEit software breach incident at IBM that led to Colorado HCPF’s data exposure is just the tip of the iceberg in what appears to be a larger vulnerability affecting several organizations,” said Ani Chaudhuri, CEO at Dasera.
The Colorado Department of Health Care MOVEit data breach follows a ransomware attack on the Colorado Department of Higher Education (CDHE) that leaked current and former students and educators’ data spanning 13 years. Similarly, Colorado State University disclosed a MOVEit data breach that leaked data “dating back to at least 2021.”
Known victims of the MOVEit data breach include the U.S. Department of Energy, Schneider Electric, Siemens Energy, Shell, Louisiana’s Office of Motor Vehicles, Norton’s parent company Gen Digital, and German Banks Deutsche Bank AG, Commerzbank, and ING.