Colorado Department of Health Care Policy & Financing

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

The Colorado Department of Health Care Policy and Financing (HCPF) experienced a data breach involving the MOVEit Transfer application used by IBM, a third-party vendor contracted with HCPF. The incident was part of a global cybersecurity incident that affected many users around the world, including IBM. Progress Software, the developer of MOVEit, discovered the problem on May 31, 2023, and publicly announced that it was the result of a cybersecurity incident[1][8][17][20].

The breach was confirmed on June 13, 2023, when it was identified that certain HCPF files on the MOVEit application were accessed by an unauthorized actor around May 28, 2023. These files contained personal information of certain Health First Colorado and Child Health Plan Plus (CHP+) members. The compromised information may have included full names, Social Security numbers, Medicaid and Medicare ID numbers, dates of birth, home addresses, contact information, demographic or income information, clinical and medical information, and health insurance information[1][5][8][17][20].

HCPF systems or databases were not directly impacted by the breach. In response to the incident, HCPF is offering potentially impacted individuals two years of free credit monitoring and identity restoration services provided through Experian. HCPF and its vendors are also reviewing their policies, procedures, and cybersecurity safeguards to further protect their systems[1][5][8][17][20].

Affected individuals who did not receive written notice but believe they may be affected can contact HCPF for assistance. The department has also advised individuals to monitor their accounts for any unauthorized activity and to take steps to protect themselves from identity theft and fraud[1][5][8][17][20].

The breach has led to investigations and potential legal actions, as indicated by the involvement of law firms like Federman & Sherwood[23]. The long-term impacts of such a data breach can include financial losses, reputational damage, legal troubles, and erosion of consumer trust[3][22]. It is essential for organizations to have incident response plans and to implement appropriate technical and organizational measures to prevent and mitigate the effects of data breaches[4][21].

Citations:

  1. https://hcpf.colorado.gov/moveit
  2. https://www.ibm.com/topics/data-breach
  3. https://www.metacompliance.com/blog/data-breaches/5-damaging-consequences-of-a-data-breach
  4. https://www.fpc.gov/elements-of-federal-privacy-program/breach-response/
  5. https://hcpf.colorado.gov/news-release-contractor-data-security-incident
  6. https://www.trendmicro.com/vinfo/us/security/definition/data-breach
  7. https://hbr.org/2023/05/the-devastating-business-impacts-of-a-cyber-breach
  8. https://www.9news.com/article/news/local/colorado-health-care-policy-financing-data-breach/73-9af829a4-a7bf-4677-aa6d-b40ad7249a04
  9. https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business
  10. https://www.cloudmask.com/blog/data-breaches-threats-and-consequences
  11. https://www.cpomagazine.com/cyber-security/4-million-impacted-in-colorado-department-of-health-care-ibm-moveit-data-breach/
  12. https://www.csoonline.com/article/534628/the-biggest-data-breaches-of-the-21st-century.html
  13. https://www.nedigital.com/en/blog/data-breach-consequences
  14. https://www.jdsupra.com/legalnews/colorado-department-of-health-care-7038352/
  15. https://www.kaspersky.com/resource-center/definitions/data-breach
  16. https://bigid.com/blog/the-costly-impact-of-a-data-breach-on-individuals/
  17. https://www.koaa.com/news/covering-colorado/department-of-health-care-policy-and-financing-reporting-a-data-breach-incident
  18. https://www.fortinet.com/resources/cyberglossary/data-breach
  19. https://www.fisglobal.com/en/insights/merchant-solutions-worldpay/article/how-the-consequences-of-a-data-breach-threaten-small-businesses
  20. https://www.cbsnews.com/colorado/news/state-office-data-breach-worldwide-cybersecurity-incident-colorado-department-health-care-policy-financing/
  21. https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-data-breach-and-what-do-we-have-do-case-data-breach_en
  22. https://www.securitymagazine.com/articles/98325-the-impact-of-a-data-breach
  23. https://www.businesswire.com/news/home/20230815828378/en/Federman-Sherwood-Investigates-Colorado-Department-of-Health-Care-Policy-Financing-for-Data-Breach
  24. https://www.mcafee.com/learn/what-is-a-data-breach-and-how-do-you-avoid-it/
  25. https://securityintelligence.com/articles/long-term-impacts-security-breach/
Breach Submission Date Aug 11, 2023
Converted Entity Name Colorado Department of Health Care Policy & Financing
Converted Entity Type Health Plan
State CO
Individuals Affected 4,091,794
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes