The Colorado Department of Health Care Policy & Financing (HCPF), which administers the Colorado Medicaid program, Child Health Plan Plus, and other health care programs, has recently announced a data breach involving the records of up to 4,091,794 individuals.
On May 31, 2023, Progress Software identified a zero day vulnerability in its MOVEit Transfer file transfer solution that had been exploited by the Clop ransomware group to gain access to users’ data. While the Clop group is known for its ransomware attacks, the mass exploitation of the vulnerability only involved data theft and extortion.
HCPF said the MOVEit Transfer application was used by IBM, a third-party vendor that contracted with HCPF. The application was used to transfer data files in the normal course of business. The investigation into the data breach confirmed that the Clop gang gained access to the MOVEit Transfer application on May 28, 2023, and files containing the information of Health First Colorado and CHP+ members were exfiltrated. Those files included names, Social Security numbers, medical information, and health insurance information. HCPF started sending notification letters to the affected individuals on August 11, 2023. Credit monitoring and identity theft protection services have been offered to the affected individuals.
HCPF is one of several healthcare entities to have been affected by the attacks. Other victims include the Family and Social Services Administration in Indiana, Florida Healthy Kids, Radius Global Solutions, Vecino Health Centers, Johns Hopkins Medicine, the Missouri Department of Social Services, Allegheny County, Sutter Senior Care, UT Southwestern Medical Center, Pension Benefit Information, Performance Health Technology, and Maximus, Maximus contracts with state and local governments and manages and administers Medicare and Medicaid programs. Its attack affected almost 11 million individuals.
Vulnerabilities are being increasingly exploited by threat actors to gain access to networks for data theft and extortion. Prompt patching is essential to limit the window of opportunity for cybercriminals to exploit vulnerabilities; however, ransomware gangs such as Clop are investing time and resources into identifying exploitable vulnerabilities in-house and are mass exploiting them before the software developers are able to release patches. Progress Software identified the vulnerabilities and released a patch promptly, but it was not possible to prevent the mass exploitation of the flaw. The total number of victims of the breach has yet to be established but at least 670 organizations worldwide are known to have been attacked and the records of more than 46 million individuals have been stolen.