Colorado HCPF breached via IBM attack, clinical data stolen

Updated on: 14 August 2023

Vilius Petkauskas
Deputy Editor

Image by Cybernews.

Data from the Colorado Department of Health Care Policy and Financing (HCPF) was stolen via the MOVEit Transfer attacks, with attackers stealing info from HCPF’s third-party contractor IBM. Individuals’ clinical and medical data are exposed.

Colorado HCPF, the administrator of Colorado’s Medicaid program and other states’ public health care programs, reached out to millions of its customers. The organization said that it has fallen victim to MOVEit Transfer attacks via a third party.

“IBM, a third-party vendor contracted with HCPF, uses the MOVEit application to move HCPF data files in the normal course of business. Progress Software publicly announced that the MOVEit problem was the result of a cybersecurity incident, which impacted many users around the world, including IBM,” the letter said.

In early June, the Cl0p ransomware gang claimed responsibility for exploiting a SQL database injection vulnerability in the MOVEit Transfer file system, impacting thousands of companies worldwide.

What data did the breach expose?

Following the incident, HCPF launched an investigation that revealed that, while attackers did not access the organization’s systems, millions of customers’ data was exposed.

“While we confirmed that no other HCPF systems or databases were impacted, […], the investigation identified that certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor on or about May 28th, 2023,” HCPF said.

According to EY’s letter to the Maine Attorney General, over four million individuals were exposed in the attack. The exposed data may have included:

Full names
Social Security numbers
Medicaid ID numbers
Medicare ID numbers
Dates of birth
Home address
Demographic or income info
Clinical and medical information (such as diagnosis/condition, lab results, medication, or other treatment information)
Health insurance information

Individual healthcare data can be sold for hundreds of dollars on dark web forums. Malicious actors use medical details for medical identity theft, a type of fraud where threat actors use stolen information to submit forged claims to Medicare and other health insurers.

Meanwhile, other personal identifiable information (PII) may be used to commit fraud: from identity theft and phishing attacks to opening new credit accounts, making unauthorized purchases, or obtaining loans under false pretenses.

To help reduce the data security impact on victims of the attack, HCPF said it would offer two years of free credit monitoring and identity restoration services. However, the organization cannot enroll affected individuals directly “due to privacy reasons,” which means that people who received the letter will have to take care of it themselves.

Who’s behind the attack?

So far, around 670 organizations and 46 million have been confirmed to be impacted by Cl0p’s MOVEit Transfer attacks. EY and other major accounting firms, such as Deloitte and PwC, have also been among the impacted.

For example, EY said over 30,000 Bank of America customers were exposed via the MOVEit Transfer attacks, with threat actors accessing financial account information and credit card numbers.

Earlier, Colorado’s Department of Higher Education was also breached, with anyone who studied at a public high school in the state between 2004 and 2020 may have had their personal data illegally accessed.

Numerous well-known organizations have had their clients exposed in the attack. Recently, TD Ameritrade, a US stockbroker, said over 60,000 of its clients were exposed, with Cl0p taking the financial account data of some.

Other named victims include American Airlines, TJX off-price department stores, TomTom, Pioneer Electronics, Autozone, and Johns Hopkins University and Health System, Warner Bros Discovery, AMC Theatres, Honeywell, Choice Hotels’ Radisson Americas chain, and Crowe accounting advisory firm.