The sensitive medical and health records of millions of Americans were illicitly accessed when hackers capitalized on a zero-day vulnerability within the widely utilized MOVEit file transfer software. The attack was directed at the systems managed by tech giant IBM.
Colorado’s Department of Health Care Policy and Financing (HCPF), responsible for overseeing the state’s Medicaid program, confirmed the occurrence of the MOVEit-based cyberattacks on Friday. As a result, the private data of over four million patients was compromised.
In their notification about the data breach to the affected individuals, Colorado’s HCPF clarified that the data compromise transpired because IBM, a vendor for the state, employs the MOVEit application to manage HCPF data files in the course of their regular operations.
The communication indicates that although neither the HCPF nor the Colorado state government systems were compromised, certain HCPF files stored within the IBM-utilized MOVEit application were accessed without authorization.
These accessed files contain comprehensive information, encompassing patients’ complete names, dates of birth, residential addresses, Social Security numbers, Medicaid and Medicare identification numbers, income particulars, clinical and medical records involving laboratory outcomes and prescribed medications, as well as health insurance details.
Approximately 4.1 million individuals are estimated to be impacted by this incident, as reported by HCPF.
As of now, IBM has not officially acknowledged its involvement in the MOVEit cyberattacks. An IBM representative did not respond to a query from TechCrunch seeking commentary on the matter.
The breach involving IBM’s MOVEit systems also had repercussions on Missouri’s Department of Social Services (DSS), although the precise number of affected individuals is yet to be ascertained. Notably, Missouri state has a population exceeding six million residents.
In a notification released last week regarding the data breach, Missouri’s DSS conveyed, “IBM functions as a vendor offering services to DSS, the state agency responsible for delivering Medicaid services to eligible individuals in Missouri. The security flaw in the data did not have a direct impact on any DSS systems, but it did affect data under DSS.”
According to DSS, the accessed data might encompass an individual’s name, client identification number within the department, date of birth, potential eligibility status or coverage for benefits, and information regarding medical claims.
It’s worth noting that both Colorado’s HCPF and Missouri’s DSS are not found on the dark web leakage platform associated with the Clop ransomware group, which has asserted responsibility for the widespread hacking incidents. A statement on the group’s site, linked to Russia, declares, “We do not possess any government-related data.”
The recent breach in Colorado’s security emerged just within a few days after the Colorado Department of Higher Education disclosed a ransomware incident, resulting in hackers infiltrating their systems and extracting data spanning 16 years. Similarly, Colorado State University acknowledged last month that it had encountered a data breach linked to MOVEit, impacting a considerable number of students and academic staff members.
Simultaneously, PH Tech, a firm specializing in data management services for healthcare insurers in the U.S., has affirmed its exposure to the MOVEit hacks, affecting the health data of around 1.7 million residents of Oregon.
Among the significant security breaches within U.S. healthcare providers this year, the most extensive pertains to HCA Healthcare. This incident, unrelated to MOVEit, involved the exposure of personal details such as names, addresses, and appointment information of 11.2 million individuals.
