August 24, 2023

The Colorado Department of Health Care Policy and Financing (HCPF) has suffered a data breach that impacted the personal and health information of four million individuals.

The breach was caused by a vulnerability in the MOVEit managed file transfer application, which is used by IBM to move data for HCPF.

The investigation into the breach determined that threat actors accessed sensitive data, including full names, Social Security numbers, Medicaid ID numbers, Medicare ID numbers, dates of birth, home addresses, and other contact information. However, financial information such as credit card numbers was not exposed.

HCPF is offering potentially impacted individuals two years of free credit monitoring and identity restoration services. The agency is also reviewing its cybersecurity policies and practices to prevent similar data breaches in the future.

This is the latest in a series of data breaches that have impacted Colorado organizations. In 2022, the Colorado Department of Higher Education suffered a ransomware attack that exposed the personal information of current and former students and educators. And in 2021, Colorado State University disclosed a data breach that exposed the personal information of students, faculty, and staff.

Previous victims of the MOVEit data breach include the U.S. Department of Energy, Schneider Electric, Siemens Energy, Shell, Louisiana’s Office of Motor Vehicles, Norton’s parent company Gen Digital, and German Banks Deutsche Bank AG, Commerzbank, and ING.

The sources for this piece include an article in CPOMAGAZINE.