Millions of Americans’ health data stolen after MOVEit hackers targeted IBM
The medical and health data of more than four million US residents has been compromised in yet another incident involving the MOVEit transfer app. The victim this time was the Colorado Department of Health Care Policy and Financing (HCPF).
According to HCPF, the breach occurred because IBM, one of the state's main hardware providers, uses the MOVEit app to transfer HCPF data. The healthcare agency noted that while HCPF's systems were not directly exploited, there was evidence that an authorised actor had accessed certain HCPF files on the MOVEit application.
The compromised files contained sensitive data of individuals, including names, social security numbers, Medicaid and Medicare ID numbers, dates of birth, clinical health care information, and more.
As part of mitigation, HCPF has agreed to provide affected people with two years of credit monitoring through Experian to counter cases of identity theft that may arise.
The incident comes just a week after the Colorado Department of Higher Education (CDHE) revealed they had suffered a major ransomware attack that led to the deletion of data dating back to 2004.
Also, HCPF was not the only casualty in the IBM/MOVEit incident. Missouri's Department of Social Services (DSS) has also revealed that health information belonging to Medicaid participants in Missouri was compromised. However, apart from two social security numbers, no sensitive data was exposed.
Colorado HCPF and Missouri DSS now join a list of other multiple high-profile organisations that have been affected by the MOVEit hack since it became public in June. It was the Russian ransomware group Clop that orchestrated the first attacks in June although it has not claimed responsibility for the IBM attacks.
Clop had given its list of victims until June 21st June 21 to pay their ransoms, threatening to publish their private information if demands weren't met. A number of high-profile names were spotted on this list, including The US Department of Energy, John Hopkins University, 1st Source Bank, and Shell Gas.