Millions of Americans have reportedly been impacted by a massive data breach that has lead to their health data being stolen. Cyber attackers leveraged a previously unknown vulnerability in the extensively utilized MOVEit file transfer software to breach systems used by the technology powerhouse IBM. The Colorado Department of Health Care Policy and Financing (HCPF) has confirmed this development, and has also informed the affected individuals.
“On May 31, 2023, Progress Software discovered a problem affecting its MOVEit Transfer application. IBM, a third-party vendor contracted with HCPF, uses the MOVEit application to move HCPF data files in the normal course of business. Progress Software publicly announced that the MOVEit problem was the result of a cybersecurity incident, which impacted many users around the world, including IBM. No HCPF or State of Colorado systems were affected by this issue,” said a statement issued by HCPF.
Some of the information that may have been accessed by the hackers include name, social security number, medical information, and health insurance information. Following IBM's notification of its involvement in the MOVEit incident, the Health Care Policy and Financing (HCPF) department swiftly initiated an investigation, added the statement. The primary objectives were to ascertain the impact of the incident on their internal systems and to ascertain whether any unauthorized access had occurred to the protected health information of Health First Colorado or CHP+ members. While the investigation confirmed that no other HCPF systems or databases had been compromised, a significant development emerged on 13 June 2023.
The inquiry revealed that specific HCPF files within the MOVEit application, utilized in conjunction with IBM, had been illicitly accessed by an unauthorized entity around 28 May 2023. These compromised files contained sensitive data pertaining to Health First Colorado and CHP+ members. In response to the incident, the Health Care Policy and Financing (HCPF) agency has taken proactive steps to mitigate the impact on affected individuals. To this end, HCPF has arranged for the provision of complimentary credit monitoring services for a duration of twenty-four (24) months.
This service, facilitated in collaboration with Experian, is being extended to individuals whose personal information might have been compromised during the incident. The initiative aims to alleviate any potential consequences by offering this safeguard at no expense to the affected individuals.