Millions of Americans had their private medical and health information stolen after hackers broke into systems run by computer giant IBM and took advantage of a zero-day flaw in the widely used MOVEit file transfer program.
The Medicaid program in Colorado is run by the Department of Health Care Policy and Financing (HCPF), which acknowledged on Friday that it had been breached by the MOVEit mass-hacks, exposing the data of more than four million patients.
Colorado’s HCPF informed customers who were impacted about a data breach, noting that IBM, one of the state’s vendors, “uses the MOVEit application to move HCPF data files in the normal course of business.”
Although this issue did not affect any systems used by the HCPF or the Colorado state government, the letter claims that “certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor.”
The full names, birth dates, residences, Social Security numbers, Medicaid and Medicare ID numbers, income details, clinical and medical data, including lab results and medication information, and health insurance details are all contained in these files.
According to HCPF, 4.1 million people are impacted.
The Department of Social Services (DSS) in Missouri was also affected by the IBM MOVEit system breach, albeit the precise number of victims is unknown at this time. Missouri is home to more than six million people.
IBM is a vendor that offers services to DSS, the state agency that offers Medicaid services to qualified Missourians, according to a data breach notification filed last week by Missouri’s DSS. The data vulnerability affected DSS data but had no direct effect on any DSS systems.
According to DSS, the information obtained may include a person’s name, department client number, date of birth, potential status for benefit eligibility or coverage, and details about medical claims.
The Clop ransomware gang, which has taken credit for the widespread cyber intrusions, has not placed Missouri’s DSS or Colorado’s HCPF on its dark web leak site. The Russia-link group asserts in a message on the website that “We don’t have any government data.”
The Colorado Department of Higher Education recently reported experiencing a ransomware incident in which hackers gained access to and copied 16 years’ worth of data from its computers. The announcement of Colorado’s latest breach came just days later. Last month, Colorado State University also announced that it had experienced a MOVEit-related data breach that affected tens of thousands of students and academic employees.
The MOVEit hacks also compromised the health records of 1.7 million Oregon citizens, according to PH Tech, a company that offers data management services to American healthcare insurance.
HCA Healthcare, whose security lapse unconnected to MOVEit resulted in the greatest breach of a U.S. healthcare provider so far this year, involved the names, addresses, and appointment information of 11.2 million people.