Cyber Incident Victim: Colorado Department of Health Care Policy & Financing

On or around May 28, 2023, the Colorado Department of Health Care Policy & Financing (HCPF) became a victim of a widespread cyber incident involving the exploitation of vulnerabilities in the MOVEit file transfer tool. The attack was part of a broader campaign attributed to the Clop ransomware group, which targeted numerous high-profile organizations globally by exploiting zero-day vulnerabilities in the popular file transfer application. The department confirmed it was in the process of investigating a security breach that compromised the personal data of state residents. The initial analysis indicated it was reasonable to believe that personally identifiable information of individuals served by Colorado’s Medicaid program, Health First Colorado, and the Child Health Plan Plus (CHP+) could have been impacted. These state safety net health coverage programs contained sensitive data on a significant portion of the Colorado population.

The incident did not involve a direct breach of the HCPF's internal networks. Instead, the attackers exploited vulnerabilities in the MOVEit application, a third-party software provided by Progress Software and used by the department for secure file transfers. This method of attack allowed the cybercriminals to directly access files that were being stored or transferred using the MOVEit platform without requiring initial access to the agency's broader IT infrastructure. The specific vulnerabilities leveraged were zero-days that had not been previously known to the public or the software vendor, allowing the attackers to operate undetected until the exploits were discovered and disclosed.

The scope of the incident was potentially vast due to the nature of the programs involved. HCPF stated that the personal data of anyone who had applied for or been covered by Health First Colorado or the Child Health Plan Plus anytime since 2015 could have been exposed. This lengthy timeframe suggested that a large number of current and past beneficiaries were at risk, though the department had not yet determined the exact number of individuals affected at the time of its initial announcement. The types of data potentially accessed were not explicitly detailed by HCPF but typically include highly sensitive information such as full names, addresses, dates of birth, Social Security numbers, medical diagnoses, and health insurance information.

In response to the discovery, the Colorado Department of Health Care Policy & Financing initiated an immediate investigation to determine the full extent of the data compromise. The agency's experts worked concurrently with the national third-party vendor, Progress Software, to investigate and address the cybersecurity intrusion. The primary goal of this collaborative effort was to prevent any further data file compromises and to fully understand the specifics of what information was accessed. The department also began the process of assessing the contents of the files that were stored on the MOVEit server to identify precisely which individuals' data was involved and the specific data elements that were exposed.

As part of its response plan, HCPF committed to directly notifying individuals as soon as the investigation determined the extent and specifics of the impact. This notification process would be initiated once the analysis was complete and would provide affected individuals with details about what information of theirs was involved. The department also indicated it would be following relevant data protection regulations in its handling of the incident and the subsequent notifications. Concurrently, the agency urged caution for all individuals who had been covered by the state's Medicaid or CHP+ programs since 2015, advising them to take steps to protect their personal information from potential misuse, though it did not specify what those steps should be.

The incident at the Colorado Department of Health Care Policy & Financing was one of many confirmed breaches linked to the MOVEit vulnerabilities during this period. Other victims included U.S. federal agencies such as the Department of Energy and the Office of Personnel Management, state-level agencies in Illinois, Missouri, Minnesota, Oregon, and Louisiana, as well as major corporations like Shell and universities including Johns Hopkins and the University of Missouri. The international scale of the attack was demonstrated by breaches at Canadian government bodies in Nova Scotia and high-profile organizations in the United Kingdom. The software vendor, Progress Software, faced significant scrutiny and a federal class action lawsuit in the United States over its handling of the vulnerabilities and the subsequent fallout from the mass exploitation by the Clop cybercriminal group. The incident underscored the systemic risk posed by vulnerabilities in widely used third-party software applications within government and critical infrastructure sectors.