Colorado says millions had their healthcare data stolen after MOVEit breach

Ransomware attack on a computer
(Image credit: Kaspersky)

The Colorado Department of Health Care Policy & Financing (HCPF) is the latest victim of the MOVEit supply chain attack, with the agency warning that records belonging to millions have been stolen.

As HCFP said in an announcement, its third-party contractor, IBM, used the MOVEit software, through which ransomware threat actors Clop stole sensitive data belonging to four million customers. 

HCPF launched an investigation after it was notified by IBM of the breach, to check what data had been compromised. It found that, "certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor on or about May 28, 2023.”

Plenty of sensitive information

HCPF manages the Health First Colorado (Medicaid) and Child Health Plan Plus programs, as well as supporting low-income families, the elderly, and citizens with disabilities, BleepingComputer reports. 

The data stolen in the attack includes full names, Social Security Numbers, income information, demographic data, birth dates, postal addresses, and other contact information. Medicaid and Medicare ID numbers, as well as health and health insurance data, were also stolen. This is pure identity theft which can later be used for spear phishing, tax fraud, wire fraud, and more. 

To tackle the problem, HPCF said it would provide credit monitoring services via Experian for two years. 

MOVEit is a managed file transfer (MFT) program used by many high-profile organizations to share sensitive data, securely. In late May this year, MOVEit warned of a critical vulnerability discovered in its solution (later tracked as CVE-2023-34362), which could grant threat actors “escalated privileges and potential unauthorized access to the environment.”

Clop said it compromised “hundreds” of organizations, including 1st Source and First National Bankers Bank, Putnam Investments, Landal Greenparks, Shell, Datasite, National Student Clearinghouse, United Healthcare Student Resources, Leggett & Platt, ÖKK, and the University System of Georgia.

Via BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.