Sensitive medical and health data on about 4.1 million Americans has been stolen, the result of a breach announced by the Colorado Department of Health Care Policy and Financing (HCPF). HCPF confirmed the breach was part of a massive MOVEit hack. It said IBM, one of the state’s vendors, “uses the MOVEit application to move HCPF data files in the normal course of business”.

HCPF, which oversees Health First Colorado (Colorado’s Medicaid program), Child Health Plan Plus (CHP+), and other health care programs, said that the compromised personal information may have included one or more of the following: full name, social security number, medicaid ID number, medicare ID number, date of birth, home address and other contact information, demographic or income information, clinical and medical information (such as diagnosis/condition, lab results, medication, or other treatment information), and health insurance information.

In a letter to the affected patients, HCPF said that “certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor,” and the HCPF urged those affected to be cautious.

Identity theft and fraud

“We encourage you to remain vigilant against identity theft and fraud by reviewing your bank and credit card accounts and monitoring your free credit reports to detect suspicious activity and errors,” Jane Wilson, Privacy Officer, said.

After discovering the breach, HCPF moved quickly to investigate the incident, and confirmed that no other HCPF systems were affected. HCPF and its vendors are also reviewing their policies, procedures and cybersecurity measures to further protect their systems.

Many organizations around the world have been affected by the MOVEit hack, and at the time of writing, over 70 institutions globally have announced breaches.

The Missouri Department of Social Services, another State Department, also announced it had been affected by the breach. Individual’s names, department client numbers, dates of birth, possible benefit eligibility status or coverage, and medical claims information were accessed. The DDS also encouraged Missourians to monitor and protect their identity after the third-party cyber-attack. The number of individuals affected has not been released.

“Certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor.”

Colorado Department of Health Care Policy and Financing

According to TechCrunch, neither Colorado’s HCPF nor Missouri’s DSS have been listed on the dark web leak site of the Clop ransomware gang, a Russia-linked group which is said to behind the mass hacks. The news site also says that Clop has written “We don’t have any government data” on their website.

Colorado State University breach

Another Colorado institution, the Colorado State University, also reported a breach earlier this summer. It said it had suffered a MOVEit-related data breach that affected tens of thousands of students and academic staff.

“While this incident is still part of an ongoing criminal and internal investigation, CDHE knows that an unauthorized actor(s) accessed CDHE systems between June 11 and June 19, 2023, and that certain data was copied from CDHE systems during this time,” the University said. It believes that data dating as far back as 2004 was breached.

To date, these institutions have reportedly been affected by the MOVEit hack:

1. The US Department of Energy
2. Shell company
3. First National Bankers Bank
4. Putnam Investments
5. Datasite
6. Swizz Insurance company ‘OKK’
7. Leggett & Platt
8. Multinational firm PricewaterhouseCoopers (Pwc)
9. Ernst & Young
10. Health Services Ireland
11. BBC
12. British Airways
13. Boots Retail
14. Medibank
15. Rochester Hospital
16. GreenShield Canada
17. Datasite
18. National Student Clearinghouse
19. United Healthcare Student Resources
20. University System of Georgia
21. German brand Heidelberg
22. Aer Lingus
23. Government of Nova Scatia
24. Johns Hopkins University
25. Ofcom
26. Transport for London (TfL)
27. Ernst and Young
28. Gen Digital, the parent company of Avast, Norton, AVG, Avira and LifeLock
29. New York City Department of Education attack impacted about 45k students
30. Siemens Energy
31. Schneider Electric
32. Dublin Airport Staff
33. Shutterfly.com
34. Allegiant Air
35. American Airlines
36. Irelands commission of Communications Regulation
37. Estee Lauder
38. Sierra Wireless
39. Bluefin Payment System
40. TJX Companies
41. Ventiv Technology
42. Vitality Group International
43. University of Alaska
44. University of Colorado
45. University of Dayton
46. University of Delaware
47. University of Idaho
48. University of Illinois
49. University of Loyola
50. University of Missouri
51. University of Oklahoma
52. University of Rochester
53. University of Southern Illinois
54. University of Utah
55. University of Wake Forest
56. University of Washington State
57. Webster University
58. PBI Research Service
59. Teachers Insurance and Annuity Association
60. Honeywell
61. American Multi Cinema Inc aka AMC Theatres
62. Warner Bros
63. Discovery
64. Raddison Americas
65. Crowe
66. ING Bank
67. Deutsche Bank
68. Postbank
69. Maximus
70. Serco Inc
71. Aristocrat
72. Clorox (yet to be confirmed officially),
73. Colorado Department of Health Care Policy & Financing (HCPF)
74. UMass Chan Medical School of Massachusetts health