Millions Impacted by Colorado Data Breach via IBM's MOVEit Transfer Use

The Colorado Department of Health Care Policy and Financing (HCPF) is alerting more than 4 million individuals of a data breach that impacted their personal and health information. The breach occurred via IBM‘s use of the MOVEit Transfer application.

HCPF oversees Health First Colorado, Colorado’s Medicaid program, Child Health Plan Plus (CHP+) and other health care programs for Coloradans who qualify.

IBM, a third-party vendor contracted with HCPF, uses the MOVEit Transfer application to move HCPF data files in the normal course of business. Progress Software publicly announced the MOVEit problem was the result of a cybersecurity incident, which impacted many users around the world, including IBM. No HCPF or State of Colorado systems were affected by this issue, the agency said.

After IBM notified HCPF that it was impacted by the MOVEit incident, HCPF launched an investigation to understand whether the incident impacted HCPF’s own systems, and to determine whether Health First Colorado or CHP+ members’ protected health information was accessed by an unauthorized party.

“While HCPF confirmed that no HCPF systems or databases were impacted, on June 13, 2023, the investigation identified that certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor on or about May 28, 2023,” according to HCPF’s alert. “These files contained certain Health First Colorado and CHP+ members’ information. HCPF has since learned that certain individuals’ information was included in these files.”

Maine Attorney General Notification

HCPF notified the Maine Attorney General’s Office that more than 4 million individuals have been impacted, including nearly 1,100 in Maine.

The accessed information from HCPF may have included one or more of the following pieces of information for certain individuals: full names; social security numbers; Medicaid and Medicare ID numbers; dates of birth; home addresses and other contact information; demographic or income information; clinical and medical information (such as diagnosis/condition, lab results, medication or other treatment information); and health insurance information.

“HCPF takes information security seriously and apologizes for any inconvenience this incident may cause,” HCPF said. “HCPF and its vendors are reviewing their policies, procedures and cybersecurity safeguards to further protect their systems. As an added precaution, HCPF is offering potentially impacted individuals two years of free credit monitoring and identity restoration services provided through Experian.”

Missouri Data Breach Also Attributed to IBM’s MOVEit Transfer Use

Last week, the Missouri Department of Social Services (DSS) reported a May 2023 data security incident that occurred with IBM Consulting (IBM) that involved MOVEit Transfer software. IBM provides services to DSS, the state agency that provides Medicaid services to eligible Missourians. The data vulnerability did not directly impact any DSS systems, but impacted data belonging to DSS. The agency says it took immediate steps in response to this incident that are ongoing.

IBM sent us the following statement:

“IBM has worked closely with the HCPF and DSS to determine and minimize the impact of the breach of MOVEit Transfer, a non-IBM data transfer program provided by Progress Software. Upon receiving notification of the breach from Progress, we moved quickly to isolate potentially impacted systems and have implemented a thorough mitigation plan. There has been no impact to IBM systems.”

Attacks Should Be ‘Clarion Call’

Zane Bond, head of product at Keeper Security, said while cyber teams continue to address this spate of attacks, the news should serve as a “clarion call” to every organization that this serious zero-day vulnerability must be remediated immediately.

Keeper Security’s Zane Bond

“Companies that are the custodians of critical information, such as those in the health care industry, require a much higher bar for security and monitoring than other types of organizations,” he said. “Vendor selection, outsourcing, bringing in any third-party products — all add layers of complexity to your defense strategy. Ensuring organizations select the correct vendors, via multiple facets including cost, functionality, usability, compatibility and of course security, is becoming increasingly important. Does a vendor have the right certifications and do they have a proven track record? However, even making these seemingly right choices can lead to a breach. Unfortunately this is the reality we live in, and it’s why defense in depth is an important pillar of cybersecurity.”

Evaluating Third-Party Risks Important

Sally Vincent, senior threat research engineer at LogRhythm, said apart from the difficulties of handling and identifying internal IT threats, evaluating risks associated with third parties is equally important.

“Especially in the health care sector, effective communication and notification tools, along with a profound grasp of configuring complex IT environments, becomes crucial,” she said. “This allows health care establishments an all-encompassing perspective of abnormal and harmful actions across the board, facilitating swift and exhaustive counteractions. By leveraging a robust security monitoring system that grants holistic transparency, including for third-party vendors, the likelihood of spotting compromise indicators and efficiently countering threats would have been significantly increased.”