Millions of US health records breached in massive IBM MOVEit hack

Health data of over four million Americans leaked from the Colorado Department of Health Care Policy and Financing as global impact of hack grows.

Sensitive medical and health data on about 4.1 million Americans has been stolen, the result of a breach announced by the Colorado Department of Health Care Policy and Financing (HCPF). HCPF confirmed the breach was part of a massive MOVEit hack. It said IBM, one of the state’s vendors, “uses the MOVEit application to move HCPF data files in the normal course of business”.

HCPF, which oversees Health First Colorado (Colorado’s Medicaid program), Child Health Plan Plus (CHP+), and other health care programs, said that the compromised personal information may have included one or more of the following: full name, social security number, medicaid ID number, medicare ID number, date of birth, home address and other contact information, demographic or income information, clinical and medical information (such as diagnosis/condition, lab results, medication, or other treatment information), and health insurance information.

In a letter to the affected patients, HCPF said that “certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor,” and the HCPF urged those affected to be cautious.

Identity theft and fraud

“We encourage you to remain vigilant against identity theft and fraud by reviewing your bank and credit card accounts and monitoring your free credit reports to detect suspicious activity and errors,” Jane Wilson, Privacy Officer, said.

After discovering the breach, HCPF moved quickly to investigate the incident, and confirmed that no other HCPF systems were affected. HCPF and its vendors are also reviewing their policies, procedures and cybersecurity measures to further protect their systems.

Many organizations around the world have been affected by the MOVEit hack, and at the time of writing, over 70 institutions globally have announced breaches.

The Missouri Department of Social Services, another State Department, also announced it had been affected by the breach. Individual’s names, department client numbers, dates of birth, possible benefit eligibility status or coverage, and medical claims information were accessed. The DDS also encouraged Missourians to monitor and protect their identity after the third-party cyber-attack. The number of individuals affected has not been released.

“Certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor.”

Colorado Department of Health Care Policy and Financing

According to TechCrunch, neither Colorado’s HCPF nor Missouri’s DSS have been listed on the dark web leak site of the Clop ransomware gang, a Russia-linked group which is said to behind the mass hacks. The news site also says that Clop has written “We don’t have any government data” on their website.

Colorado State University breach

Another Colorado institution, the Colorado State University, also reported a breach earlier this summer. It said it had suffered a MOVEit-related data breach that affected tens of thousands of students and academic staff.

“While this incident is still part of an ongoing criminal and internal investigation, CDHE knows that an unauthorized actor(s) accessed CDHE systems between June 11 and June 19, 2023, and that certain data was copied from CDHE systems during this time,” the University said. It believes that data dating as far back as 2004 was breached.

To date, these institutions have reportedly been affected by the MOVEit hack:

  1. The US Department of Energy
  2. Shell company
  3. First National Bankers Bank
  4. Putnam Investments
  5. Datasite
  6. Swizz Insurance company ‘OKK’
  7. Leggett & Platt
  8. Multinational firm PricewaterhouseCoopers (Pwc)
  9. Ernst & Young
  10. Health Services Ireland
  11. BBC
  12. British Airways
  13. Boots Retail
  14. Medibank
  15. Rochester Hospital
  16. GreenShield Canada
  17. Datasite
  18. National Student Clearinghouse
  19. United Healthcare Student Resources
  20. University System of Georgia
  21. German brand Heidelberg
  22. Aer Lingus
  23. Government of Nova Scatia
  24. Johns Hopkins University
  25. Ofcom
  26. Transport for London (TfL)
  27. Ernst and Young
  28. Gen Digital, the parent company of Avast, Norton, AVG, Avira and LifeLock
  29. New York City Department of Education attack impacted about 45k students
  30. Siemens Energy
  31. Schneider Electric
  32. Dublin Airport Staff
  34. Allegiant Air
  35. American Airlines
  36. Irelands commission of Communications Regulation
  37. Estee Lauder
  38. Sierra Wireless
  39. Bluefin Payment System
  40. TJX Companies
  41. Ventiv Technology
  42. Vitality Group International
  43. University of Alaska
  44. University of Colorado
  45. University of Dayton
  46. University of Delaware
  47. University of Idaho
  48. University of Illinois
  49. University of Loyola
  50. University of Missouri
  51. University of Oklahoma
  52. University of Rochester
  53. University of Southern Illinois
  54. University of Utah
  55. University of Wake Forest
  56. University of Washington State
  57. Webster University
  58. PBI Research Service
  59. Teachers Insurance and Annuity Association
  60. Honeywell
  61. American Multi Cinema Inc aka AMC Theatres
  62. Warner Bros
  63. Discovery
  64. Raddison Americas
  65. Crowe
  66. ING Bank
  67. Deutsche Bank
  68. Postbank
  69. Maximus
  70. Serco Inc
  71. Aristocrat
  72. Clorox (yet to be confirmed officially),
  73. Colorado Department of Health Care Policy & Financing (HCPF)
  74. UMass Chan Medical School of Massachusetts health