The Colorado Department of Health Care Policy & Financing (HCPF) has fallen victim to a cyberattack by the Russia-based Cl0p ransomware group. In the attack, the personal health data of approximately 4 million members of state health programs was stolen from IBM-managed systems that utilized the MOVEit Managed File Transfer platform.
The incident was first noticed on May 31 when the HCPF identified a problem with its MOVEit Transfer application. After being notified of the cyberattack by IBM, a third-party contractor, HCPF launched an investigation and determined that certain HCPF files on the MOVEit application had been accessed by an unauthorized actor on or about May 28, 2023. While HCPF confirmed that none of its own systems were affected, files containing information on members of Health First Colorado and CHP+ were breached. As a result, personal data of 4,091,794 individuals was compromised.
The stolen data included personally identifiable information (PII) such as full names, Social Security numbers, dates of birth, home addresses, and contact details. Additionally, the breach exposed personal health data, including Medicaid or Medicare ID numbers, health insurance data, and even clinical and medical information like diagnoses, lab results, medications, and treatment information.
This incident is the second cyberattack on a Colorado government agency this month. The Colorado Department of Higher Education (CDHE) recently disclosed that its systems had been accessed in a ransomware incident, resulting in the theft of private data, including names, Social Security numbers, and student identification numbers. These incidents highlight the rising threat of cyberattacks against government bodies and the potential risks to the personal information of residents.
It is worth noting that Cl0p has already targeted several high-profile victims, both in the private and public sectors. The ransomware group exploited vulnerabilities in the MOVEit Transfer app, developed by Progress Software. By the end of June, there were already 160 confirmed victims of the Cl0p attacks, including government entities like the Department of Energy’s Oak Ridge Associated Universities and Waste Isolation Pilot Plant, as well as large corporations such as Shell and British Airways.
These incidents emphasize the importance of protecting sensitive data managed by third-party contractors and supply chain members. Ron Arden, CTO at data-security firm Fasoo, highlighted the significance of encryption and access control measures in preventing unauthorized access to data. If the HCPF had encrypted the personal data and applied a stringent security policy, the attackers would not have been able to retrieve and utilize the stolen information.
In response to the attack, HCPF and its third-party vendors are reviewing their policies, procedures, and cybersecurity safeguards to enhance their system’s protection. The department is also offering free credit monitoring services through Experian for 24 months to the victims of the incident. HCPF is taking this incident seriously and apologizes for any inconvenience caused.
To mitigate the potential risks of identity theft and fraud, HCPF has provided guidance to impacted victims. This includes steps on how to place a fraud alert and security freeze on their credit file, as well as contact information for national consumer reporting agencies to obtain free credit reports. The department also advises individuals to remain vigilant by reviewing account statements, monitoring their credit reports, and reporting any suspicious activity to the authorities.
The incidents involving the Colorado government agencies and other victims of the Cl0p ransomware attacks serve as a reminder for organizations to prioritize the protection of sensitive data and strengthen their cybersecurity measures. By implementing robust encryption and access controls, organizations can mitigate the risks associated with third-party attacks and safeguard the personal information of individuals who rely on their services.