Colorado Alerts 4 Million Citizens of Data Breach Following IBM MOVEit Exploit

August 14, 2023

The Colorado Department of Health Care Policy & Financing (HCPF) has issued a data breach notification to more than four million individuals whose personal and health information was compromised. The breach was facilitated by a Clop ransomware attack that exploited a vulnerability in the MOVEit Transfer software (CVE-2023-34362), affecting hundreds of organizations around the world. The HCPF, a state government agency that oversees the Health First Colorado (Medicaid) and Child Health Plan Plus programs, clarified that their systems were not directly compromised. Instead, the data exposure occurred via IBM, their contractor, which used the MOVEit software.

The HCPF statement reads, "After IBM notified HCPF that it was impacted by the MOVEit incident, HCPF launched an investigation right away to understand whether the incident impacted its own systems, and to determine whether Health First Colorado or CHP+ members' protected health information was accessed by an unauthorized party. While HCPF confirmed that no other HCPF systems or databases were impacted, on June 13, 2023, the investigation identified that certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor on or about May 28, 2023".

The investigation revealed that the threat actors accessed and likely exfiltrated files containing certain Health First Colorado and CHP+ members' information. This data can be used to launch effective phishing or social engineering attacks, and can assist with identity or bank fraud activity. In total, the data of 4,091,794 people has been exposed. To help counteract fraud attempts, HPCF is offering two years of credit monitoring services via Experian to all individuals who received the data breach notification.

This disclosure comes just a week after another large state organization in Colorado, the Department of Higher Education (CDHE), revealed that a massive data breach caused by a ransomware attack had impacted a large number of students and teachers. The CDHE reported that the threat actors used the stolen data to perform double extortion and encrypted network computers, but did not specify how the hackers gained access to the network.

In July 2023, Colorado State University disclosed a data breach resulting from its use of the vulnerable MOVEit Transfer software, impacting tens of thousands of students and academic staff.

Related News

• Rise in Ransomware Attacks Through Zero-Day Exploits: An Analysis
• US Government Contractor Maximus Suffers Massive Data Breach Affecting Millions
• Schneider Electric and Siemens Energy Fall Prey to Clop Ransomware Attack
• Massive Data Breach at NYC Department of Education: 45,000 Students' Data Stolen
• Gen Digital, Norton's Parent Company, Targeted in MOVEit Ransomware Attack

Latest News

• Critical Remote Code Execution Vulnerability in Ghostscript: PoC Released
• Worldwide Industrial PLCs Vulnerable Due to CODESYS V3 RCE Flaws
• Dell Compellent Bug Leaves VMWare Environments Vulnerable to Attacks
• CISA Uncovers 'Whirlpool' Backdoor in Barracuda ESG Attacks
• CISA Highlights Exploited Flaw in .NET and Visual Studio