top of page

Massive Data Breach Hits Colorado Health Agency, Exposing 4 Million Individuals' Sensitive Data

A significant data breach has rocked the Colorado Department of Health Care Policy & Financing (HCPF), affecting over four million individuals whose personal and health information was compromised. The HCPF, responsible for overseeing Health First Colorado (Medicaid) and Child Health Plan Plus programs, which assist low-income families, the elderly, and citizens with disabilities, was targeted in a hacking campaign that exploited a zero-day vulnerability (CVE-2023-34362) in the MOVEit Transfer software, a situation that has had global implications for hundreds of organizations.

While HCPF's internal systems remained unscathed, the breach occurred through a contractor, IBM, which was using the MOVEit software. Following IBM's alert, HCPF promptly launched an investigation to assess the extent of the impact. The results revealed that certain files within the MOVEit application, used by IBM, were accessed by an unauthorized actor around May 28, 2023. The accessed data encompassed sensitive information of Health First Colorado and CHP+ members, including full names, Social Security Numbers, Medicaid and Medicare ID numbers, birth dates, addresses, contact information, income details, demographic data, clinical information (diagnoses, lab outcomes, treatments, medications), and health insurance specifics.

This treasure trove of data could facilitate phishing, social engineering, and identity or bank fraud attempts. Shockingly, the breach exposed the personal information of a staggering 4,091,794 individuals. In response, HCPF is taking proactive measures by offering affected parties two years of credit monitoring services via Experian, in an effort to counteract potential fraudulent activities.

This incident marks the second high-profile data breach in Colorado within a week. The Department of Higher Education (CDHE) recently disclosed a ransomware attack that impacted numerous students and educators. The attackers not only encrypted network computers but also exploited stolen data for double extortion purposes. Similarly, the Colorado State University revealed a breach stemming from its use of the vulnerable MOVEit Transfer software, affecting a substantial number of students and academic staff.

Sally Vincent, Senior Threat Research Engineer at LogRhythm shared her insights on the Colorado Department of Health Care Policy & Financing (HCPF) breach and how organizations can combat third-party security risk:

"This incident follows right on the heels of a cyberattack on the Colorado Department of Higher Education (CDHE) and resulting data breach involving unauthorized access to the Department’s systems spanning a 13-year period and compromising names, social security numbers, dates of birth, addresses, photocopies of government IDs, and in certain cases, police reports or complaints related to identity theft.

Apart from the difficulties of handling and identifying internal IT threats, evaluating risks associated with third parties is equally important. Especially in the healthcare sector, effective communication and notification tools, along with a profound grasp of configuring complex IT environments, becomes crucial. This allows healthcare establishments an all-encompassing perspective of abnormal and harmful actions across the board, facilitating swift and exhaustive counteractions. By leveraging a robust security monitoring system that grants holistic transparency, including for third-party vendors, the likelihood of spotting compromise indicators and efficiently countering threats would have been significantly increased." ###


bottom of page