The Colorado Department of Health Care Policy & Financing (HCPF) Discloses Data Breach
The Colorado Department of Health Care Policy & Financing (HCPF), a state government agency supporting low-income families, the elderly, and citizens with disabilities, has alerted over four million individuals about a data breach that compromised their personal and health information.
The data breach was made possible by the exploitation of the MOVEit Transfer zero-day (CVE-2023-34362) in a hacking campaign conducted by Clop ransomware. This campaign affected numerous organizations worldwide.
HCPF clarifies that while their systems remained uncompromised, the data exposure occurred through their contractor, IBM, which utilized the MOVEit software.
The notice from HCPF states, “After IBM notified HCPF that it was impacted by the MOVEit incident, HCPF launched an investigation right away to understand whether the incident impacted its own systems, and to determine whether Health First Colorado or CHP+ members’ protected health information was accessed by an unauthorized party.”
The investigation revealed that the threat actors managed to access and likely exfiltrated files containing sensitive information of Health First Colorado and CHP+ members. This information includes full names, Social Security Numbers (SSNs), Medicaid ID numbers, Medicare ID numbers, date of birth, home addresses, contact information, income information, demographic data, clinical data (diagnosis, lab results, treatment, medication), and health insurance information.
The exposed data can be exploited for effective phishing or social engineering attacks, as well as for identity or bank fraud.
A total of 4,091,794 individuals have been affected by this data breach. HPCF has taken measures to counteract fraud attempts by providing two years of credit monitoring services via Experian to all affected individuals.
This disclosure comes shortly after the Department of Higher Education (CDHE) in Colorado announced a major data breach caused by a ransomware attack, which impacted a significant number of students and teachers. The CDHE reported that the threat actors used the stolen data for double extortion and encrypted network computers, but did not provide details on how the hackers gained access to the network.
In July 2023, the Colorado State University also disclosed a data breach resulting from its use of vulnerable MOVEit Transfer software. This breach affected tens of thousands of students and academic staff.