FOR IMMEDIATE RELEASE
August 11, 2023
Department of Health Care Policy & Financing
Denver - The Department of Health Care Policy and Financing (HCPF) is providing notice of a recent data security incident that involves certain individuals’ personal information and/or protected health information. HCPF oversees Health First Colorado (Colorado’s Medicaid program), Child Health Plan Plus (CHP+), and other health care programs for Coloradans who qualify.
What Happened? On May 31, 2023, Progress Software discovered a problem affecting its MOVEit® Transfer application. IBM, a third-party vendor contracted with HCPF, uses the MOVEit application to move HCPF data files in the normal course of business. Progress Software publicly announced that the MOVEit problem was the result of a cybersecurity incident, which impacted many users around the world, including IBM. No HCPF or State of Colorado systems were affected by this issue.
After IBM notified HCPF that it was impacted by the MOVEit incident, HCPF launched an investigation right away to understand whether the incident impacted HCPF’s own systems, and to determine whether Health First Colorado or CHP+ members’ protected health information was accessed by an unauthorized party. While HCPF confirmed that no HCPF systems or databases were impacted, on June 13, 2023, the investigation identified that certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor on or about May 28, 2023. These files contained certain Health First Colorado and CHP+ members’ information. HCPF has since learned that certain individuals’ information was included in these files.
What Information Was Involved? The information may have included one or more of the following pieces of information for certain individuals: full name, Social Security number, Medicaid ID number, Medicare ID number, date of birth, home address and other contact information, demographic or income information, clinical and medical information (such as diagnosis/condition, lab results, medication, or other treatment information), and health insurance information.
What We Are Doing. HCPF takes information security seriously and apologizes for any inconvenience this incident may cause. HCPF and its vendors are reviewing their policies, procedures and cybersecurity safeguards to further protect their systems. As an added precaution, HCPF is offering potentially impacted individuals two years of free credit monitoring and identity restoration services provided through Experian. If you did not receive written notice of this incident but believe you may be affected, please call us at 833-346-1583, Monday through Friday, 7 a.m. – 9 p.m., and Saturday and Sunday 9 a.m. – 6 p.m. Mountain Time (excluding major holidays). Please be prepared to provide engagement number B100639.
What You Can Do. Individuals can find out more about how to protect themselves generally against the potential misuse of information by reviewing the guidance on HCPF’s website, entitled Steps You Can Take to Protect Personal Information.
About the Colorado Department of Health Care Policy & Financing: The Department administers Health First Colorado (Colorado's Medicaid program), Child Health Plan Plus, and other programs for Coloradans who qualify. These health care programs now cover about one in four Coloradans. For more information about the Department, please visit hcpf.colorado.gov.