The Colorado Division of Well being Care Coverage & Financing (HCPF) is alerting greater than 4 million people of a data breach that impacted their private and well being info.
Colorado HCPF is a state authorities company that manages the Well being First Colorado (Medicaid) and Youngster Well being Plan Plus applications, and offers assist for low-income households, the aged, and residents with disabilities.
The data breach was doable after Clop ransomware exploited the MOVEit Switch zero-day (CVE-2023-34362) in a hacking marketing campaign that impacted lots of of organizations worldwide.
HCPF clarifies that whereas their techniques weren’t straight compromised, the info publicity occurred by IBM, their contractor, which utilized the MOVEit software program.
“After IBM notified HCPF that it was impacted by the MOVEit incident, HCPF launched an investigation immediately to grasp whether or not the incident impacted its personal techniques, and to find out whether or not Well being First Colorado or CHP+ members’ protected well being info was accessed by an unauthorized celebration,” reads the discover.
“Whereas HCPF confirmed that no different HCPF techniques or databases have been impacted, on June 13, 2023, the investigation recognized that sure HCPF information on the MOVEit utility utilized by IBM have been accessed by the unauthorized actor on or about Might 28, 2023” – Colorado Division of Well being Care Coverage & Financing
The investigation revealed that the menace actors managed to entry and sure exfiltrated information that contained sure Well being First Colorado and CHP+ members’ info, together with:
- Full names
- Social Safety Numbers (SSNs)
- Medicaid ID quantity
- Medicare ID quantity
- Date of Start
- Dwelling handle
- Contact info
- Earnings info
- Demographic information
- Medical information (prognosis, lab outcomes, therapy, treatment)
- Medical insurance info
The above information could be utilized to launch efficient phishing or social engineering assaults, and will help with id or financial institution fraud exercise.
In whole, information of 4,091,794 folks has been uncovered. For all people that acquired the data breach notification, HPCF offers two years of credit score monitoring companies by way of Experian to assist counteract fraud makes an attempt.
This disclosure comes solely every week after one other giant state group in Colorado, the Division of Greater Schooling (CDHE), disclosed {that a} huge data breach brought on by a ransomware assault had impacted a lot of college students and academics.
The CDHE stated the menace actors leveraged the stolen information to carry out double extortion and encrypted community computer systems; nonetheless, it didn’t make clear how the hackers obtained entry to the community.
In July 2023, the Colorado State College disclosed a data breach ensuing from its use of the susceptible MOVEit Switch software program, impacting tens of hundreds of scholars and tutorial workers.
