Colorado Health Agency Says 4 Million Impacted by MOVEit Hack

The Colorado Department of Health Care Policy and Financing (HCPF) has revealed that the personal information of millions of individuals was compromised in a data breach resulting from the recent MOVEit cyberattack.

On Friday, HCPF informed the Maine Attorney General’s office that it has started informing close to 4.1 million individuals that their personal information might have been compromised in the incident.

In a sample notification letter submitted to authorities, HCPF revealed that, on May 28, an unauthorized party accessed certain HCPF files that IBM, which is providing certain services to the organization, was transferring using MOVEit. 

Those files contained the personal information of both Health First Colorado (Medicaid) and Child Health Plan Plus members.

The exposed information, the organization says, includes names, addresses, birth dates, Social Security numbers, demographic or income information, medical information, treatment information, and health insurance information.

“Upon discovering the event, HCPF moved quickly to investigate the incident, confirm that no HCPF systems were impacted, and identify potentially affected individuals,” HCPF says.

On August 11, the agency started notifying the potentially impacted individuals of the data breach, offering free credit monitoring and identity restoration services, along with guidance on how they can protect themselves against identity theft and fraud.

Last week, the Missouri Department of Social Services (DSS) announced that it was impacted by the MOVEit hack. The same as HCPF, the DSS data breach occurred through IBM. 

In May, Progress Software announced that a zero-day vulnerability had allowed cybercriminals to steal information transferred through the MOVEit Transfer managed file transfer (MFT) software.

According to data from cybersecurity firm Emsisoft, as of August 12, 2023, more than 660 organizations were impacted – directly and indirectly – by the MOVEit hack. The personal and health information of over 46 million people was affected.

Some of the organizations known to have been hit include government services firm Maximus, the US Department of Energy, Louisiana’s Office of Motor Vehicles, Norton parent company Gen Digital, Siemens Energy, Schneider Electric, and energy giant Shell.

Update: Responding to a SecurityWeek inquiry, an IBM spokesperson said:

IBM has worked closely with the Colorado Department of Health Care Policy and Financing (HCPF) and the Missouri Department of Social Services to determine and minimize the impact of the breach of MOVEit Transfer, a non-IBM data transfer program provided by Progress Software. Upon receiving notification of the breach from Progress, we moved quickly to isolate potentially impacted systems and have implemented a thorough mitigation plan. There has been no impact to IBM systems.

Related: Ransomware Group Starts Naming Victims of MOVEit Zero-Day Attacks

Related: MOVEit: Testing the Limits of Supply Chain Security

Related: MOVEit Customers Urged to Patch Third Critical Vulnerability