Incident is part of international cyber criminal attack on third-party data transfer software
FOR IMMEDIATE RELEASE
June 16, 2023
Media Contact
Marc Williams
Department of Health Care Policy & Financing
720-626-0801 (Cell)
Denver, CO - MOVEit is a software application businesses and government agencies around the world use to transfer large data files. MOVEit has experienced a security incident as part of a global cyberattack that targeted its secure file transfer software. While the full scope of the MOVEit cyberattack is still being determined, it is clear that the impacts are extensive, involving thousands of organizations worldwide including businesses and multiple federal and state government agencies. A cyber criminal group has claimed responsibility for the global data-theft attacks.
Department of Health Care Policy & Financing (HCPF) data files transferred by MOVEit software used by HCPF’s third party vendor have been compromised. The privacy of Coloradans’ data is of the utmost importance to HCPF and the state. Experts from HCPF, the state’s Office of Information Technology, and the national third party vendor are collaborating to investigate this MOVEit cybersecurity attack and its impact on our files housed at the third party vendor and any related impact on Coloradans covered by our programs. HCPF will be directly notifying any of our members who are affected when that information is known.
Early analysis indicates that it is reasonable to believe personal identifiable information of individuals served by Health First Colorado (Colorado’s Medicaid program), the Child Health Plan Plus (CHP+) - the state’s safety net health coverage programs - could have been impacted. As soon as the agencies have determined the extent of and the specifics related to the impact, HCPF will directly notify individuals.
Concurrent to this work, HCPF experts are working with the national third party vendor to investigate and address the cybersecurity intrusion with the specific goal of preventing any further data file compromises. HCPF has also reached out to all of its vendor partners to ensure their awareness of the MOVEit global cybersecurity attack, as well as to require their specific actions to determine, address, and communicate back to the Department any cyberattack findings for further action.
HCPF recommends individuals who have applied for or have been covered anytime since 2015 by Health First Colorado or Child Health Plan Plus take precautionary measures to protect themselves, such as accessing and monitoring personal credit reports. Under federal law, consumers have the right to receive a free copy of their credit report every 12 months from each of the three consumer credit reporting companies. A credit report can provide information about those who have received your credit history within a certain period of time. You may request a free credit report online or by telephone at 1-877-322-8228.
When you receive your credit reports, check for any transactions or accounts that you do not recognize. If you see anything you do not understand, call the telephone number listed on the credit report or visit the Federal Trade Commission’s website on identity theft. Additionally, you may wish to ask each of these four credit monitoring agencies to freeze your credit files.
Equifax website or call 1-800-685-1111
Experian website or call 1-888-397-3742
TransUnion website or call 1-888-909-8872
Innovis website or call or 1-866-712-4546
Consider changing passwords for all online accounts such as banking, social media, and health care portals in the event your personal data was used to access these accounts. Learn more about password protection at CISA.gov.
To prevent someone else from filing returns or receiving your federal tax refund, request an “Identity Protection Pin” from the Internal Revenue Service. You can also call the IRS at 1-800-829-1040.
Individuals who are eligible for, applied for, or are receiving Social Security benefits (including disability) may consider registering for an ssa.gov account.
Taking that step can stop others from stealing your benefits.
If you suspect Social Security fraud, call the Office of Inspector General hotline at 1-800-269-0271 or the Social Security Administration at 1-800-772-1213, or file a complaint online.
As new information is learned, the MOVEit Global Cyber Attack Updates page will be updated.
About the Colorado Department of Health Care Policy & Financing: The Department administers Health First Colorado (Colorado's Medicaid program), Child Health Plan Plus, and other programs for Coloradans who qualify. These health care programs now cover about one in four Coloradans. For more information about the Department, please visit hcpf.colorado.gov.