US authorities have unveiled a large-scale data breach that saw hackers exploit a zero-day vulnerability in the MOVEit file-transfer software, resulting in the theft of sensitive medical and health information data belonging to millions of Americans.
The Colorado Department of Health Care Policy and Financing (HCPF) announced that it fell victim to the widespread MOVEit attacks, which exposed the personal and medical data of more than 4 million patients. The HCPF explained that the breach occurred because IBM, a third-party vendor contracted by the department, utilized the MOVEit application for routine data transfers.
After Progress Software, the provider of MOVEit, publicly acknowledged a cybersecurity incident impacting users globally, including IBM, HCPF initiated an investigation to assess the extent of the breach’s impact on its systems. The findings confirmed unauthorized access to certain HCPF files via the compromised MOVEit application used by IBM. These files contained sensitive information such as names, Social Security numbers, medical details, and health insurance information of Health First Colorado and CHP+ members. Approximately 4.1 million individuals are believed to be affected by this breach.
This incident follows another similar breach involving Maximus, a US government services contracting company, which confirmed that hackers exploited a MOVEit Transfer vulnerability to access the protected health information of 8 to 11 million individuals. Maximus manages and administers government-sponsored programs and student loan servicing.
The breach, heralded as the most significant healthcare data breach of the year, highlights the far-reaching consequences of cyber attacks on healthcare institutions. The breach’s severity underscores the importance of maintaining robust cybersecurity practices and promptly addressing vulnerabilities in critical software applications.
In a filing with the US Securities and Exchange Commission (SEC), Maximus disclosed that the attackers utilized a zero-day vulnerability in the MOVEit file transfer application to carry out the data theft. This revelation underscores the need for organizations to remain vigilant and proactive in identifying and addressing software vulnerabilities to protect sensitive data and prevent potential breaches.
