The Colorado Department of Health Care Policy and Financing (HCPF) has reported a breach that compromised the data of more than 4 million individuals. The incident was attributed to IBM, a vendor for the state, which utilizes the MOVEit application for the transfer of HCPF data files.
Despite this breach, HCPF and the Colorado state government's infrastructure remain unaffected, as far as anyone knows at this point. However, unauthorized access was gained by an external entity to specific HCPF files on the application managed by IBM. The compromised files contained comprehensive personal data, encompassing full names, dates of birth, addresses, Social Security numbers, medical records, laboratory results, medication history, Medicare and Medicaid ID numbers, income information, and more.
Another organization impacted by this recent breach is Missouri’s Department of Social Services (DSS). It also uses IBM services. DSS has disclosed that exposed data might encompass an individual's name, department client identification number, birth date, and information concerning potential benefit eligibility status or coverage, along with medical claims data.
Adding insult to injury in Colorado, the Colorado Department of Higher Education divulged an incident involving a ransomware attack, resulting in the exfiltration of 16 years' worth of data from their systems. Likewise, Colorado State University was not immune, falling victim to a MOVEit-related breach that impacted tens of thousands of students and faculty.
An in other data breach news, PH Tech, a healthcare insurer data management service provider, revealed that the health information of 1.7 million Oregon residents was compromised due to MOVEit.
MOVEit obviously won’t stay out of the news, so it’s best to take action to mitigate compromise on your systems. Updating with the latest patches is primary, but it’s also recommended that you Disable all HTTP and HTTPs traffic to the MOVEit Transfer environment. The FBI’s Cybersecurity & Infrastructure Security Agency (CISA) has also listed several recommendations for prevention and mitigation as well. As always, instruct all users on identification of phishing and have a plan in place to react in case anyone falls victim to this or any phishing attack.
In a separate incident unrelated to MOVEit, HCA Healthcare experienced the most substantial data breach within the U.S. healthcare sector this year. That breach exposed the personal details, including names, addresses, and appointment specifics, of approximately 11.2 million individuals.