Colorado healthcare data of 4 million people leaked in breach

Healthcare data is one of the most sensitive pieces of information. However, in a recent development, the Colorado Department of Health Care Policy & Financing (HCPF) fell victim to a malicious supply chain attack, resulting in the breach of sensitive medical and health information belonging to millions of Americans.

How did the breach work?

The notorious hacking group, Clop, which previously targeted various financial institutions, including 1st Source and First National Bankers Bank, has claimed responsibility for this attack.

To execute the breach, the threat actors exploited a zero-day vulnerability in IBM’s MOVEit file transfer software, which the HCPF used to manage vulnerable demographics, such as low-income families, the elderly, and individuals with disabilities, under the Health First Colorado (Medicaid) and Child Health Plan Plus programs. While the exact extent is still a subject of debate, reports suggest that the breach has impacted over four million customer records. These records include full names, Social Security Numbers, income specifics, demographic details, birthdates, physical addresses, and other means of contact.

To make matters worse, hackers also managed to access critical Medicaid and Medicare ID numbers alongside health-related and insurance data. The substantial volume of compromised data could potentially facilitate identity theft by threat actors.

Furthermore, the vulnerability, known as CVE-2023-34362, has highlighted broader risks associated with the MOVEit software, as threat actors can use it to acquire additional privileges, thereby gaining unauthorized access to even more sensitive environments.

Response to the breach

In light of the breach, HCPF has committed to providing two years of credit monitoring services through Experian. And although these measures may appear modest, the department is actively enhancing its cybersecurity defenses and managing the repercussions stemming from the MOVEit supply chain breach. Furthermore, HCPF has issued a warning to victims, advising them to take proactive measures to safeguard their personal information, such as monitoring account statements, reviewing free credit reports, and placing fraud alerts.