Colorado says millions had their healthcare data stolen after MOVEit breach

Ransomware attack on a computer
(Image credit: Kaspersky)

The Colorado Department of Health Care Policy & Financing (HCPF) is the latest victim of the MOVEit supply chain attack, with the agency warning that records belonging to millions have been stolen.

As HCFP said in an announcement, its third-party contractor, IBM, used the MOVEit software, through which ransomware threat actors Clop stole sensitive data belonging to four million customers. 

HCPF launched an investigation after it was notified by IBM of the breach, to check what data had been compromised. It found that, "certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor on or about May 28, 2023.”

Plenty of sensitive information

HCPF manages the Health First Colorado (Medicaid) and Child Health Plan Plus programs, as well as supporting low-income families, the elderly, and citizens with disabilities, BleepingComputer reports. 

The data stolen in the attack includes full names, Social Security Numbers, income information, demographic data, birth dates, postal addresses, and other contact information. Medicaid and Medicare ID numbers, as well as health and health insurance data, were also stolen. This is pure identity theft which can later be used for spear phishing, tax fraud, wire fraud, and more. 

To tackle the problem, HPCF said it would provide credit monitoring services via Experian for two years. 

MOVEit is a managed file transfer (MFT) program used by many high-profile organizations to share sensitive data, securely. In late May this year, MOVEit warned of a critical vulnerability discovered in its solution (later tracked as CVE-2023-34362), which could grant threat actors “escalated privileges and potential unauthorized access to the environment.”

Clop said it compromised “hundreds” of organizations, including 1st Source and First National Bankers Bank, Putnam Investments, Landal Greenparks, Shell, Datasite, National Student Clearinghouse, United Healthcare Student Resources, Leggett & Platt, ÖKK, and the University System of Georgia.

Via BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
ID theft
Over a million patients potentially hit after another US healthcare provider hit by cyberattack
Lock on Laptop Screen
United Healthcare data breach may have affected 190 million Americans
security
Ransomware gangs allegedly hit two major US healthcare firms, 300,000 patients have data stolen
healthcare
Top US health provider tells 882,000 patients they were hit in August 2023 breach
healthcare
Over a million clinical records exposed in data breach
ransomware avast
The biggest addiction treatment provider in the US says it was hit by data breach
Latest in Pro
An image of network security icons for a network encircling a digital blue earth.
Why multi-CDNs are going to shake up 2025
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Millwall FC The Den
The UK's first football club mobile network is here - but you probably won't guess which team has launched it
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
Latest in News
A young woman is working on a laptop in a relaxed office space.
I’ll admit, Microsoft’s new Windows 11 update surprised me with its usefulness, providing accessibility fixes, a gamepad keyboard layout, and PC spec cards
inZOI promotional material.
inZOI has become the most wishlisted game on Steam, but I wouldn't get too caught up in the hype
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Nespresso Vertuo Pop machine in Candy Pink with coffee drinks and capsules
My favorite Nespresso coffee maker just got a fresh new makeover, and now I love it even more
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC