Colorado Health Care Data Breach

[Lee B]

"The Colorado Department of Health Care Policy & Financing (HCPF) is alerting more than four million individuals of a data breach that impacted their personal and health information.

Colorado HCPF is a state government agency that manages the Health First Colorado (Medicaid) and Child Health Plan Plus programs, and provides support for low-income families, the elderly, and citizens with disabilities.

The data breach was possible after Clop ransomware exploited the MOVEit Transfer zero-day (CVE-2023-34362) in a hacking campaign that impacted hundreds of organizations worldwide.

HCPF clarifies that while their systems weren't directly compromised, the data exposure occurred through IBM, their contractor, which utilized the MOVEit software.

The investigation revealed that the threat actors managed to access and likely exfiltrated files that contained certain Health First Colorado and CHP+ members' information, including:

Full names

Social Security Numbers (SSNs)

Medicaid ID number

Medicare ID number

Date of Birth

Home address

Contact information

Income information

Demographic data

Clinical data (diagnosis, lab results, treatment, medication)

Health insurance information."

Now it's 6 weeks later and they're just getting around to acknowledging the breach and notifying 4 million people.