The Colorado Department of Health Care Policy & Financing (HCPF) has exposed a grave data breach affecting over four million individuals, following a MOVEit attack on IBM. The breach granted threat actors access to personal and health information, including sensitive details such as Social Security numbers and medical IDs.
Upon being notified by IBM, HCPF promptly initiated an investigation to ascertain the extent of the impact, focusing on whether Health First Colorado or CHP+ members’ protected health information had been compromised. While no other HCPF systems were affected, the inquiry revealed unauthorized access to specific files through the MOVEit application used by IBM.
The compromised information encompassed a range of personal data, from full names to clinical and medical records, increasing the potential for fraudulent activities like phishing attacks and identity theft. HCPF, a state government agency in Colorado, is dedicated to managing healthcare programs and facilitating access to quality healthcare services for eligible individuals and families.
Responding to the breach, HCPF not only undertook a swift investigation but also identified potentially impacted parties and is now revising policies and cybersecurity measures to bolster system protection.
To mitigate risks for those affected, HCPF is offering credit monitoring services for two years, collaborating with Experian and offering guidance on safeguarding against identity theft and fraud. This breach is part of a broader trend, as the MOVEit vulnerability (CVE-2023-34362) continues to be exploited by cybercriminals. The Clop ransomware group, also known as Lace Tempest, has harnessed this flaw to target numerous organizations globally, including notable entities like the U.S. Department of Energy and British Airways.
The severity of these attacks has led the U.S. State Department to offer a substantial reward for information linking the Clop ransomware group to foreign governments.
