October 2, 2023

Colorado Health Care Policy & Financing (HCPF) department is the latest victim of a third-party attack using MoveIT file transfer vulnerability that leads to the breach of health data of about 4 million members of state health programs from IBM-managed systems.

On May 31, the Colorado HCPF noticed a cybersecurity incident affecting its MOVEit Transfer application, IBM, a third-party contractor with HCPF, uses the application to move HCPF data files in the normal course of business.

After IBM notified the department of the cyberattack on MOVEit, HCPF launched an investigation and determined that while none of its own systems were affected, certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor on or about May 28, 2023.No HCPF or State of Colorado systems were affected by this issue.


However, third-party files, which contained information of members of Health First Colorado and CHP+, which are state government health programs, were breached. The HCPF breach ultimately impacted 4,091,794 people, according to the department.

The data involved in the attack includes PII data such as individuals’ full name, Social Security number, date of birth, home address, demographic, and income information. The breach also exposed personal health data, such as people’s Medicaid or Medicare ID number, health insurance data, and even clinical and medical info such as diagnosis or condition, lab results, medication, or other treatment information.

HCPF and its third-party vendors plan to review department policies, procedures, and cybersecurity safeguards to further protect their systems in the wake of the attack. It also provides access to credit monitoring services for 24 months through Experian to victims of the incident for free.


The HCPF also reminded victims to remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring free credit reports, and encouraged them to contact the Federal Trade Commission, their state Attorney General, and law enforcement if they notice any suspicious or fraud-related activity.

Leave a Reply

%d bloggers like this: