Colorado Dept. of Health Care Policy reports MOVEit related data breach

The Colorado Department of Health Care Policy and Financing (HCPF) l has reported a data security incident involving the personal information and protected health information of certain individuals. The HCPF oversees various healthcare programs including Health First Colorado (Colorado’s Medicaid program) and Child Health Plan Plus (CHP+) for eligible Coloradans.

On May 31, 2023, Progress Software identified an issue with its MOVEit® Transfer application, which is used by IBM, a third-party vendor contracted with HCPF, to transfer data files. The issue was revealed to be a cybersecurity incident affecting multiple users worldwide, including IBM, but no HCPF or State of Colorado systems were affected.

 HCPF initiated an investigation to determine if the incident affected their systems and whether the protected health information of Health First Colorado or CHP+ members was accessed without authorization. The investigation confirmed that certain HCPF files on the MOVEit application were accessed by an unauthorized party on or around May 28, 2023, containing Health First Colorado and CHP+ members' data.

The compromised information may include details like

• full names,
• Social Security numbers,
• Medicaid and Medicare ID numbers,
• dates of birth,
• addresses,
• contact information,
• demographic and income details,
• clinical and medical information (such as diagnoses, lab results, medications, and treatment information),
• health insurance information.

The number of affected individuals is not disclosed.

HCPF expresses regret for any inconvenience caused by this incident and are providing potentially impacted individuals with two years of free credit monitoring and identity restoration services through Experian.