Colorado Alerts 4 Million Citizens of Data Breach Following IBM MOVEit Exploit

August 14, 2023

The Colorado Department of Health Care Policy & Financing (HCPF) has issued a data breach notification to more than four million individuals whose personal and health information was compromised. The breach was facilitated by a Clop ransomware attack that exploited a vulnerability in the MOVEit Transfer software (CVE-2023-34362), affecting hundreds of organizations around the world. The HCPF, a state government agency that oversees the Health First Colorado (Medicaid) and Child Health Plan Plus programs, clarified that their systems were not directly compromised. Instead, the data exposure occurred via IBM, their contractor, which used the MOVEit software.

The HCPF statement reads, "After IBM notified HCPF that it was impacted by the MOVEit incident, HCPF launched an investigation right away to understand whether the incident impacted its own systems, and to determine whether Health First Colorado or CHP+ members' protected health information was accessed by an unauthorized party. While HCPF confirmed that no other HCPF systems or databases were impacted, on June 13, 2023, the investigation identified that certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor on or about May 28, 2023".

The investigation revealed that the threat actors accessed and likely exfiltrated files containing certain Health First Colorado and CHP+ members' information. This data can be used to launch effective phishing or social engineering attacks, and can assist with identity or bank fraud activity. In total, the data of 4,091,794 people has been exposed. To help counteract fraud attempts, HPCF is offering two years of credit monitoring services via Experian to all individuals who received the data breach notification.

This disclosure comes just a week after another large state organization in Colorado, the Department of Higher Education (CDHE), revealed that a massive data breach caused by a ransomware attack had impacted a large number of students and teachers. The CDHE reported that the threat actors used the stolen data to perform double extortion and encrypted network computers, but did not specify how the hackers gained access to the network.

In July 2023, Colorado State University disclosed a data breach resulting from its use of the vulnerable MOVEit Transfer software, impacting tens of thousands of students and academic staff.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.