Health Data of Millions Impacted by MOVEit Exploit at IBM

August 15, 2023 - A MOVEit Transfer hack at IBM resulted in the potential exposure of health data for millions of Colorado Medicaid beneficiaries, the Colorado Department of Health Care Policy & Financing (HCPF) reported via a breach notification submitted to the Maine Attorney General’s Office.

As previously reported, organizations around the world have suffered from exploits of a vulnerability in Progress Software’s MOVEit Transfer software, allowing threat actors to gain access to databases containing sensitive information.

IBM is a third-party contractor of HCPF, which runs Colorado’s Medicaid program. IBM uses the MOVEit application to transfer files on behalf of HCPF. In May, IBM notified HCPF of the MOVEit incident, prompting HCPF to launch an investigation.

“While HCPF confirmed that no other HCPF systems or databases were impacted, on June 13, 2023, the investigation identified that certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor on or about May 28, 2023. These files contained certain Health First Colorado and CHP+ members’ information,” HCPF confirmed.

More than 4 million beneficiaries were impacted by the breach, which involved unauthorized access to Social Security numbers, names, medical information, and health information.

In addition to the HCPF breach, the Missouri Department of Social Services (DSS) reported a breach stemming from the MOVEit incident at IBM. It is unclear how many Medicaid beneficiaries were impacted at the Missouri DSS.

“IBM notified DSS of the incident on June 2, 2023, informing DSS that IBM had applied any recommended MOVEit software fixes and had stopped using the MOVEit Transfer application while they investigated to determine if any DSS data had been accessed,” the Misourri DSS stated in its notice to patients.

“DSS immediately began investigating and working with the appropriate entities to ensure the security of DSS systems and information. No DSS systems have been found to have been impacted by this incident, but will continue to be monitored.”

DSS is still working to analyze the contents of all the accessed files, but noted that the impacted information may have included names, department client numbers, benefit eligibility status, and medical claims information.

“DSS is still reviewing the files associated with this incident. This will take us some time to complete. These files are large, are not in plain English, and are not easily readable because of how they are formatted,” DSS noted.

“We are working to analyze these files as quickly as possible, and will contact additional people individually should we determine during this review that different or additional information or individuals were potentially impacted.”

DSS encouraged Missourians to review credit reports for suspicious activity in the meantime.

IBM has not yet issued an official statement on the incident.