A government department in Colorado is the latest victim of a third-party attack by Russia's Cl0p ransomware group in connection with the MOVEit Managed File Transfer platform. Department officials say that the group stole the personal health data of about 4 million members of state health programs from IBM-managed systems.
On May 31, the Colorado Department of Health Care Policy & Financing (HCPF) noticed a problem — ultimately determined to be a cybersecurity incident — affecting its MOVEit Transfer application, according to a public notice by the department available online. IBM, a third-party contractor with HCPF, uses the application to move HCPF data files "in the normal course of business."
After IBM notified the department of the cyberattack on MOVEit, HCPF launched an investigation and determined that while none of its own systems were affected, "certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor on or about May 28, 2023," according to the filing.
"Progress Software publicly announced that the MOVEit problem was the result of a cybersecurity incident, which impacted many users around the world, including IBM," the agency said. "No HCPF or State of Colorado systems were affected by this issue."
However, third-party files, which contained information of members of Health First Colorado and CHP+, which are state government health programs, were breached. The HCPF breach ultimately impacted 4,091,794 people, according to the department.
Data potentially accessed by Cl0p in the attack included personally identifiable (PII) data such as individuals' full name, Social Security number, date of birth, home address, and other contact, demographic, and income information. The breach also exposed personal health data, such as people's Medicaid or Medicare ID number, health insurance data, and even clinical and medical info such as diagnosis or condition, lab results, medication, or other treatment information.
The incident is the second this month that affected a Colorado government agency and exposed sensitive data of state residents. Earlier this month, the Colorado Department of Higher Education (CDHE) revealed that an authorized actor had accessed its systems in a ransomware incident that took place between June 11 and 19; the unidentified actor stole private and sensitive data including, but not limited to, names, Social Security numbers, and student identification numbers.
Meanwhile, Cl0p already has rampaged through a number of high-profile victims, both private and public, by exploiting a zero-day vulnerability discovered May 31, which was quickly patched. Other, similar vulnerabilities were identified later in the MOVEit Transfer app, developed by Progress Software. By June 30, the number of confirmed victims of the MOVEit debacle already was 160 and counting, and new revelations like the one by Colorado's HCPF are ongoing.
Other government entities already known to be affected by attacks from the ransomware gang on MOVEit include the Department of Energy's Oak Ridge Associated Universities and Waste Isolation Pilot Plant, while large corporations such as multinational oil and gas company Shell and British Airways also were caught up in the attacks.
The attacks once again stress the importance for enterprises to protect sensitive data managed by thirdparty contractors of other members of an organization's supply chain, notes Ron Arden, CTO at data-security firm Fasoo, in an email to Dark Reading.
"If Colorado HCPF encrypted the PII and PHI of its customers and applied a security policy that controls its access, unauthorized users would not be able to access it," he observes. "If attackers exfiltrated the data using a known vulnerability in the MOVEit product, it would be useless to them since they couldn’t read it."
HCPF and its third-party vendors plan to review department policies, procedures, and cybersecurity safeguards to further protect their systems in the wake of the attack, according to the notice. The department also is providing access to credit monitoring services for 24 months through Experian to victims of the incident for free.
"HCPF takes information security seriously and apologizes for any inconvenience this incident may cause," the department said.
HCPF provided guidance in the form of steps that victims can take to protect their personal information and better protect against identity theft and fraud in the wake of the attack. Information distributed to impacted victims includes how to place a fraud alert and security freeze on their credit file, the contact details for the national consumer reporting agencies, and information on how to obtain a free credit report.
The HCPF also reminded victims to remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring free credit reports, and encouraged them to contact the Federal Trade Commission, their state Attorney General, and law enforcement if they notice any suspicious or fraud-related activity.