Connect with us

Hi, what are you looking for?


Data Breaches

Colorado Health Agency Says 4 Million Impacted by MOVEit Hack

Colorado’s health programs administrator says the personal information of 4 million individuals was compromised in the recent MOVEit hack.

The Colorado Department of Health Care Policy and Financing (HCPF) has revealed that the personal information of millions of individuals was compromised in a data breach resulting from the recent MOVEit cyberattack.

On Friday, HCPF informed the Maine Attorney General’s office that it has started informing close to 4.1 million individuals that their personal information might have been compromised in the incident.

In a sample notification letter submitted to authorities, HCPF revealed that, on May 28, an unauthorized party accessed certain HCPF files that IBM, which is providing certain services to the organization, was transferring using MOVEit. 

Those files contained the personal information of both Health First Colorado (Medicaid) and Child Health Plan Plus members.

The exposed information, the organization says, includes names, addresses, birth dates, Social Security numbers, demographic or income information, medical information, treatment information, and health insurance information.

“Upon discovering the event, HCPF moved quickly to investigate the incident, confirm that no HCPF systems were impacted, and identify potentially affected individuals,” HCPF says.

On August 11, the agency started notifying the potentially impacted individuals of the data breach, offering free credit monitoring and identity restoration services, along with guidance on how they can protect themselves against identity theft and fraud.

Advertisement. Scroll to continue reading.

Last week, the Missouri Department of Social Services (DSS) announced that it was impacted by the MOVEit hack. The same as HCPF, the DSS data breach occurred through IBM. 

In May, Progress Software announced that a zero-day vulnerability had allowed cybercriminals to steal information transferred through the MOVEit Transfer managed file transfer (MFT) software.

According to data from cybersecurity firm Emsisoft, as of August 12, 2023, more than 660 organizations were impacted – directly and indirectly – by the MOVEit hack. The personal and health information of over 46 million people was affected.

Some of the organizations known to have been hit include government services firm Maximus, the US Department of Energy, Louisiana’s Office of Motor Vehicles, Norton parent company Gen Digital, Siemens Energy, Schneider Electric, and energy giant Shell.

Update: Responding to a SecurityWeek inquiry, an IBM spokesperson said:

IBM has worked closely with the Colorado Department of Health Care Policy and Financing (HCPF) and the Missouri Department of Social Services to determine and minimize the impact of the breach of MOVEit Transfer, a non-IBM data transfer program provided by Progress Software. Upon receiving notification of the breach from Progress, we moved quickly to isolate potentially impacted systems and have implemented a thorough mitigation plan. There has been no impact to IBM systems.

Related: Ransomware Group Starts Naming Victims of MOVEit Zero-Day Attacks

Related: MOVEit: Testing the Limits of Supply Chain Security

Related: MOVEit Customers Urged to Patch Third Critical Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Data Breaches

A group of hackers has leaked Atlassian employee records and floorplans, information that was obtained from third-party workplace platform Envoy.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Data Breaches

AT&T is notifying millions of wireless customers that their CPNI was compromised in a data breach at a third-party vendor.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


Instant Checkmate and TruthFinder have disclosed data breaches affecting a total of more than 20 million users.