Health Data of 4M Stolen in Cl0p MOVEit Breach of Colorado Department

States Department of Health Care Policy & Financing is the latest to acknowledge an attack by the Russian groups ongoing exploitation of third-party systems.

A government department in Colorado is the latest victim of a third-party attack by Russias Cl0p ransomware group in connection with the
MOVEit Managed File Transfer platform
. Department officials say that the group stole the personal health data of about 4 million members of state health programs from IBM-managed systems.
On May 31, the Colorado Department of Health Care Policy & Financing (HCPF) noticed a problem — ultimately determined to be a cybersecurity incident — affecting its MOVEit Transfer application, according to a
public notice
by the department available
online
. IBM, a third-party contractor with HCPF, uses the application to move HCPF data files in the normal course of business.
After IBM notified the department of the cyberattack on MOVEit, HCPF launched an investigation and determined that while none of its own systems were affected, certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor on or about May 28, 2023, according to the filing.
Progress Software publicly announced that the MOVEit problem was the result of a cybersecurity incident, which impacted many users around the world, including IBM, the agency said. No HCPF or State of Colorado systems were affected by this issue.
However, third-party files, which contained information of members of Health First Colorado and CHP+, which are state government health programs, were breached. The HCPF breach ultimately impacted 4,091,794 people, according to the department.
Data potentially accessed by Cl0p in the attack included personally identifiable (PII) data such as individuals full name, Social Security number, date of birth, home address, and other contact, demographic, and income information. The breach also exposed personal health data, such as peoples Medicaid or Medicare ID number, health insurance data, and even clinical and medical info such as diagnosis or condition, lab results, medication, or other treatment information.
The incident is the second this month that affected a Colorado government agency and exposed sensitive data of state residents. Earlier this month, the Colorado Department of Higher Education (CDHE)
revealed
that an authorized actor had accessed its systems in a ransomware incident that took place between June 11 and 19; the unidentified actor stole private and sensitive data including, but not limited to, names, Social Security numbers, and student identification numbers.
Meanwhile, Cl0p already has rampaged through a number of high-profile victims, both private and public, by exploiting a zero-day vulnerability discovered May 31, which was quickly patched.
Other, similar vulnerabilities
were identified later in the MOVEit Transfer app, developed by Progress Software. By June 30, the number of confirmed victims of the MOVEit debacle already was 160 and counting, and new revelations like the one by Colorados HCPF are ongoing.
Other
government entities
already known to be affected by attacks from the ransomware gang on MOVEit include the Department of Energys Oak Ridge Associated Universities and Waste Isolation Pilot Plant, while large corporations such as multinational oil and gas company
Shell
and
British Airways
also were caught up in the attacks.
The attacks once again stress the importance for enterprises to protect sensitive data managed by thirdparty contractors of other members of an organizations supply chain, notes Ron Arden, CTO at data-security firm Fasoo, in an email to Dark Reading.
If Colorado HCPF encrypted the PII and PHI of its customers and applied a security policy that controls its access, unauthorized users would not be able to access it, he observes. If attackers exfiltrated the data using a known vulnerability in the MOVEit product, it would be useless to them since they couldn’t read it.
HCPF and its third-party vendors plan to review department policies, procedures, and cybersecurity safeguards to further protect their systems in the wake of the attack, according to the notice. The department also is providing access to credit monitoring services for 24 months through Experian to victims of the incident for free.
HCPF takes information security seriously and apologizes for any inconvenience this incident may cause, the department said.
HCPF provided guidance in the form of steps that victims can take to protect their personal information and better protect against identity theft and fraud in the wake of the attack. Information distributed to impacted victims includes how to place a fraud alert and security freeze on their credit file, the contact details for the national consumer reporting agencies, and information on how to obtain a free credit report.
The HCPF also reminded victims to remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring free credit reports, and encouraged them to contact the Federal Trade Commission, their state Attorney General, and law enforcement if they notice any suspicious or fraud-related activity.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Health Data of 4M Stolen in Cl0p MOVEit Breach of Colorado Department