- Aug 17, 2017
HCPF clarifies that while their systems weren't directly compromised, the data exposure occurred through IBM, their contractor, which utilized the MOVEit software. "After IBM notified HCPF that it was impacted by the MOVEit incident, HCPF launched an investigation right away to understand whether the incident impacted its own systems, and to determine whether Health First Colorado or CHP+ members' protected health information was accessed by an unauthorized party," reads the notice.
The investigation revealed that the threat actors managed to access and likely exfiltrated files that contained certain Health First Colorado and CHP+ members' information, including:
- Full names
- Social Security Numbers (SSNs)
- Medicaid ID number
- Medicare ID number
- Date of Birth
- Home address
- Contact information
- Income information
- Demographic data
- Clinical data (diagnosis, lab results, treatment, medication)
- Health insurance information
The above data can be utilized to launch effective phishing or social engineering attacks, and can help with identity or bank fraud activity.
The Colorado Department of Health Care Policy & Financing (HCPF) is alerting more than four million individuals of a data breach that impacted their personal and health information.