Department of Health Care Policy and Financing (HCPF) Provides Updated Notice of May 2023 Data Security Incident

View this page in Spanish

Updated: February 20, 2024

The Colorado Department of Health Care Policy and Financing (HCPF) is providing notice of a data security incident that involves certain individuals’ personal information and/or protected health information. HCPF oversees Health First Colorado (Colorado’s Medicaid program), Child Health Plan Plus (CHP+), and other health care programs for Coloradans who qualify.

What Happened? On May 31, 2023, Progress Software discovered a problem affecting its MOVEit® Transfer application. IBM, a third-party vendor contracted with HCPF, uses the MOVEit application to move HCPF data files in the normal course of business. Progress Software publicly announced that the MOVEit problem was the result of a cybersecurity incident, which impacted many users around the world, including IBM. No HCPF or State of Colorado systems were affected by this issue.

After IBM notified HCPF that it was impacted by the MOVEit incident, HCPF launched an investigation right away to understand whether the incident impacted HCPF’s own systems, and to determine whether Health First Colorado or CHP+ members’ protected health information was accessed by an unauthorized party. While HCPF confirmed that no other HCPF systems or databases were impacted, on June 13, 2023, the investigation identified that certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor on or about May 28, 2023. These files contained certain individuals’ information including Health First Colorado and CHP+ members and applicants, providers, and provider and member-affiliated individuals as well as information for individuals who may provide additional coverage to Health First Colorado and CHP+ members.

As a result of our continued review of the impacted information, HCPF confirmed on January 17, 2024 that information pertaining to additional individuals was included in the files accessed by the unauthorized actor. HCPF has since taken steps to notify and provide resources to the additional individuals identified as being potentially affected by this incident.

What Information Was Involved? The information may have included one or more of the following pieces of information for certain individuals: full name, Social Security number, Medicaid ID number, Medicare ID number, date of birth, address and other contact information, demographic information, income and expense information, clinical and medical information (such as diagnosis/condition, lab results, medication, or other treatment information), health insurance information, and asset information.

What We Are Doing. HCPF takes information security seriously and apologizes for any inconvenience this incident may cause. HCPF and its vendors are reviewing their policies, procedures and cybersecurity safeguards to further protect their systems. As an added precaution, HCPF is offering potentially impacted individuals two years of free credit monitoring and identity restoration services provided through Experian.  If you did not receive written notice of this incident but believe you may be affected, please call us at 833-918-1099, Monday through Friday, 7:00 a.m. – 9:00 p.m. Mountain Time (excluding major holidays) and provide engagement number B115237.

What You Can Do. Individuals can find out more about how to protect themselves generally against the potential misuse of information by reviewing the guidance below entitled Steps You Can Take to Protect Personal Information.


Steps You Can Take To Protect Personal Information

Monitor Your Accounts

Under U.S. law, you are entitled to one free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. To order a free credit report, visit www.annualcreditreport.com or call toll-free at 1-877-322-8228. You may also directly contact the three major credit reporting bureaus listed below to request a free copy of your credit report.

You have the right to place an initial or extended fraud alert on your credit file at no cost.

  • If your information has not been used for identity theft, you can ask for an initial fraud alert. This alert will be placed in your credit file and lasts for one year. If you have an initial fraud alert in your credit file, businesses must take steps to verify your identity before they approve new credit. This can help stop identity thieves from taking out new credit cards and loans in your name.
  • If your information has been used for identity theft, you are entitled to an extended fraud alert, which lasts seven years. If you want to place an extended fraud alert, please contact any of the three major credit reporting bureaus listed below.

As an alternative to a fraud alert, you have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without your express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in a consumer’s name without consent. However, be aware that using a credit freeze to take control over who gets access to your personal and financial information may delay, interfere with, or prohibit the timely approval of any subsequent request or application they make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Under federal law, you cannot be charged to place or lift a credit freeze on your credit report. To request a credit freeze, you may need to provide some or all of the following information:

  1. Full name (including middle initial as well as Jr., Sr., II, III, etc.);
  2. Social Security number;
  3. Date of birth;
  4. Addresses for the prior two to five years;
  5. Proof of current address, such as a current utility bill or telephone bill;
  6. A legible photocopy of a government-issued identification card (state driver’s license or ID card, etc.); and
  7. A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft if you are a victim of identity theft.

If you want to place a credit freeze or fraud alert on your credit file, you will need to contact each of the three major credit reporting bureaus listed below:








Equifax Fraud Alert, P.O. Box 105069 Atlanta, GA 30348-5069

Experian Fraud Alert, P.O. Box 9554, Allen, TX 75013

TransUnion Fraud Alert, P.O. Box 2000, Chester, PA 19016

Equifax Credit Freeze, P.O. Box 105788 Atlanta, GA 30348-5788

Experian Credit Freeze, P.O. Box 9554, Allen, TX 75013

TransUnion Credit Freeze, P.O. Box 160, Woodlyn, PA 19094


Additional Information

Learn more about identity theft, fraud alerts, credit freezes, and steps you can take to protect your personal information by contacting the consumer reporting bureaus, the Federal Trade Commission, or your state Attorney General. 

The Federal Trade Commission may be reached at: 600 Pennsylvania Avenue NW, Washington, D.C. 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. Please file a complaint with the Federal Trade Commission if your information has been misused. Contact the Federal Trade Commission if you have questions about how to file your complaint.  

You also have the right to file a police report if you ever experience identity theft or fraud. To file a report with law enforcement for identity theft, you will likely need to provide some proof that you have been a victim. Contact your local police department if you have questions about the type of proof you will need. 

Instances of known or suspected identity theft should also be reported to your state Attorney General.

Residents of states OTHER than Colorado, please read the following:

For California residents, this notice has not been delayed by law enforcement.

For District of Columbia residents, the District of Columbia Attorney General may be contacted at: 400 6th Street, NW, Washington, D.C. 20001; 202-727-3400; and oag.dc.gov.

For Maryland residents, the Maryland Attorney General may be contacted at: 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; 1-410-576-6300 or 1-888-743-0023; and www.marylandattorneygeneral.gov.

For New Mexico residents, consumers have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in their credit file has been used against them, the right to know what is in their credit file, the right to ask for their credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting bureaus must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to consumers’ files is limited; consumers must give consent for credit reports to be provided to employers; consumers may limit “prescreened” offers of credit and insurance based on information in their credit report; and consumers may seek damages from violators. Consumers may have additional rights under the Fair Credit Reporting Act not summarized here. Identity theft victims and active-duty military personnel have specific additional rights pursuant to the Fair Credit Reporting Act. We encourage consumers to review their rights pursuant to the Fair Credit Reporting Act by visiting www.consumerfinance.gov/f/201504_cfpb_summary_your-rights-under-fcra.pdf, or by writing Consumer Response Center, Room 130-A, Federal Trade Commission, 600 Pennsylvania Ave. N.W., Washington, D.C. 20580.

For New York residents, the New York Attorney General may be contacted at: Office of the Attorney General, The Capitol, Albany, NY 12224-0341; 1-800-771-7755; or ag.ny.gov.

For North Carolina residents, the North Carolina Attorney General may be contacted at: 9001 Mail Service Center, Raleigh, NC 27699-9001; 1-877-566-7226 or 1-919-716-6000; and www.ncdoj.gov

For Rhode Island residents, the Rhode Island Attorney General may be reached at: 150 South Main Street, Providence, RI 02903; www.riag.ri.gov; and 1-401-274-4400. Under Rhode Island law, individuals have the right to obtain any police report filed in regard to this event. There are 278 Rhode Island residents that may be impacted by this event.

Help In Your Language

Please Call: 833-346-1583.

  • Español ATENCIÓN: Si habla español, tiene a su disposición servicios gratuitos de asistencia lingüística.
  • Tiếng Việt CHÚ Ý: Nếu bạn nói Tiếng Việt, có các dịch vụ hỗ trợ ngôn ngữ miễn phí dành cho bạn.
  • 繁體中文 注意:如果您使用繁體中文,您可以免費獲得語言援助服務。
  • 한국어 주의: 한국어를 사용하시는 경우, 언어 지원 서비스를 무료로 이용하실 수 있습니다.
  • Русский ВНИМАНИЕ: Если вы говорите на русском языке, то вам доступны бесплатные услуги перевода.
  • አማርኛ ማስታወሻ: የሚናገሩት ቋንቋ ኣማርኛ ከሆነ የትርጉም እርዳታ ድርጅቶች፣ በነጻ ሊያግዝዎት ተዘጋጀተዋል፡
  •  ملحوظة: إذا كنت تتحدث اذكر اللغة، فإن خدمات المساعدة اللغویة تتوافر لك بالمجان. العربیة
  • Deutsch ACHTUNG: Wenn Sie Deutsch sprechen, stehen Ihnen kostenlos sprachliche Hilfsdienstleistungen zur Verfügung.
  • Français ATTENTION: Si vous parlez français, des services d'aide linguistique vous sont proposés gratuitement.
  • नेपाल ध्यान िदनहोसु : ् तपाइ लेनेपाली बोल्नहु न्छ भनेतपाइ को िनिम्त भाषा सहायता सेवाह  िनःशल्कु  पमा उपलब्ध छ ।
  • Tagalog PAUNAWA: Kung nagsasalita ka ng Tagalog, maaari kang gumamit ng mga serbisyo ng tulong sa wika nang walang bayad.
  • 日本語 注意事項:日本語を話される場合、無料の言語支援をご利用いただけます。
  • Oroomiffa XIYYEEFFANNAA: Afaan dubbattu Oroomiffa, tajaajila gargaarsa afaanii, kanfaltiidhaan ala, ni argama.
  • توجھ: اگر بھ زبان فارسی گفتگو می کنید، تسھیلات زبانی بصورت رایگان برای شما فراھم می باشد. فارسی
  • Polski UWAGA: Jeżeli mówisz po polsku, możesz skorzystać z bezpłatnej pomocy językowej.