Colorado HCPF Department notifies 4 million individuals after IBM MOVEit breach

The Colorado Department of Health Care Policy & Financing (HCPF) disclose a data breach after MOVEit attack on IBM.

The Colorado Department of Health Care Policy & Financing (HCPF) disclosed a data breach that impacted more than four million individuals.

The incident is the result of a MOVEit attack on IBM, threat actors accessed the personal and health information of the impacted individuals.

“After IBM notified HCPF that it was impacted by the MOVEit incident, HCPF launched an investigation
right away to understand whether the incident impacted its own systems, and to determine whether Health First Colorado or CHP+ members’ protected health information was accessed by an unauthorized party.” reads the reads the notice. by the company. “While HCPF confirmed that no other HCPF systems or databases were impacted, on June 13, 2023, the investigation identified that certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor on or about May 28, 2023. These files contained certain Health First Colorado and CHP+ members’ information.”

Information potentially exposed includes full name, Social Security number, Medicaid ID number, Medicare ID number, date of birth, home address and other contact information, demographic or income information, clinical and medical information (such as diagnosis/condition, lab results, medication, or other treatment information), and health insurance information.

Threat actors can exploit this data to carry out a broad range of fraudulent activities, from phishing attacks to identity theft.

The Colorado Department of Health Care Policy & Financing (HCPF) is a state government agency in the U.S. state of Colorado. It is responsible for managing and overseeing various health care programs and policies within the state. HCPF’s primary focus is on providing access to affordable and quality healthcare services for eligible individuals and families.

Once discovered the security breach, HCPF quickly launched an investigation into the incident. The company pointed out that its systems were impacted, it also added to have identified potentially affected individuals. In response to the incident, the company is reviewing policies, procedures and cybersecurity safeguards to enhance the cyber security of its systems.

HCPF is providing access to credit monitoring services for twenty-four months, through Experian, to impacted individuals along with guidance on how to better protect against identity theft and fraud.

Colorado HCPF is the last victim of the attacks exploiting the flaw CVE-2023-34362 affecting the Progress Software’s MOVEit file transfer platform.

MOVEit Transfer is a managed file transfer that is used by enterprises to securely transfer files using SFTP, SCP, and HTTP-based uploads.

The vulnerability is a SQL injection vulnerability, it can be exploited by an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database.

A few days after the release of Progress’s advisory, the Clop ransomware gang (aka Lace Tempest) was credited by Microsoft for the recent campaign that exploits a zero-day vulnerability, tracked as CVE-2023-34362, in the MOVEit Transfer platform.

The Clop ransomware group claimed to have hacked hundreds of companies globally by exploiting MOVEit Transfer vulnerability. The list of victims of ransomware attacks exploiting the MOVEit Transfer zero-day includes the U.S. Department of Energy, British Airways, Boots, the BBC, Aer Lingus, Ofcom, Shell, University of Rochester, Schneider Electric, Siemens Energy, and Gen Digital.

The US State Department offered a $10 million reward for any information which would link members of the Cl0p ransomware gang to a foreign government.

In June a ransomware attack hit the Colorado Department of Higher Education (CDHE), now the organization disclosed a data breach. CDHE did not disclose the number of impacted individuals.

CDHE discovered the ransomware attack on June 19, 2023, it immediately launched an investigation into the security breach with the help of third-party specialists.

In early August, The Colorado Department of Higher Education (CDHE) finally disclosed a data breach impacting students, past students, and teachers after the June attack.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, OT)