Colorado says millions had their healthcare data stolen after MOVEit breach
The Colorado Department of Health Care Policy & Financing (HCPF) is the latest victim of the MOVEit supply chain attack, with the agency warning that records worth millions have been stolen.
As HCFP said in an announcement, the third-party contractor, IBM, used the MOVEit software, which ransomware threats used to steal Clop sensitive data from four million customers.
HCPF launched an investigation after being notified of the breach by IBM to determine what data had been compromised. It found that “certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor on or about May 28, 2023.”
Lots of sensitive information
HCPF administers the Health First Colorado (Medicaid) and Child Health Plan Plus programs, and also supports low-income families, the elderly and citizens with disabilities, BleepingComputer reports.
The data stolen in the attack included full names, social security numbers, income information, demographics, dates of birth, mailing addresses, and other contact information. Medicaid and Medicare ID numbers, as well as health and health insurance information, were also stolen. This is pure identity theft that can later be used for spear phishing, tax fraud, wire fraud and more.
To address the issue, HPCF said it would provide credit monitoring services through Experian for two years.
MOVEit is an MFT (Managed File Transfer) program used by many high-profile organizations to securely share sensitive data. In early June of this year, MOVEit warned of a critical vulnerability discovered in its fix (subsequently tracked as CVE-2023-34362), which could grant threat actors “escalated privileges and potentially unauthorized access to the environment.”
Clop said it had put “hundreds” of organizations at risk, including 1st Source and First National Bankers Bank, Putnam Investments, Landal Greenparks, Shell, Datasite, National Student Clearinghouse, United Healthcare Student Resources, Leggett & Platt, ÖKK and the University System or Georgia.
Through Beeping computer