Millions of Americans had their private medical and health information stolen after attackers hacked into systems operated by tech giant IBM and exploited a zero-day flaw in the widely used MOVEit file transfer software.
The MOVEit major hacks exposed the data of more than 4 million patients, according to the Colorado Department of Health Care Policy and Financing (HCPF), which oversees Colorado's Medicaid programme.
In a notification of a data breach sent to people impacted, Colorado's HCPF stated that IBM, one of the state's vendors, "uses the MOVEit application to move HCPF data files in the normal course of business."
While the Colorado state government or HCPF systems were unaffected by this problem, the letter claims that "certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorised actor."
These files contain the full names, birth dates, residences, Social Security numbers, Medicaid and Medicare ID numbers, information on income, clinical and medical data (such as lab results and medication information), and information on health insurance for the patients.
HCPF claimed that the hack in the system affected nearly 4.1 million people. However, IBM is yet to publicly disclose that it was impacted by the MOVEit mass attacks.
The Department of Social Services (DSS) in Missouri was also affected by the IBM MOVEit system breach. However, the exact number of victims is unknown at the moment. Missouri state is home to more than 6 million people.
Missouri's DSS stated in a data breach notification posted last week: "IBM is a vendor that provides services to DSS, the state agency that provides Medicaid services to eligible Missourians." The data vulnerability did not directly affect any DSS systems, but it did affect DSS data."
According to DSS, the data accessed may include an individual's name, department client number, date of birth, potential benefit eligibility status or coverage, and medical claims information.
Neither Colorado's HCPF nor Missouri's DSS are named on the dark web leak site of the Clop ransomware gang, which has claimed responsibility for the mass hacks. The Russia-linked group asserts on the site, "We don't have any government data."
Colorado's latest breach comes just days after the Colorado Department of Higher Education revealed a ransomware incident in which hackers accessed and copied 16 years of data from its networks. Last month, Colorado State University disclosed a MOVEit-related data breach that affected tens of thousands of students and academic employees.
