Dept of Health Care Policy and Financing reports breach involving vendor
DENVER — The Colorado Department of Health Care Policy and Financing was notified recently of a data breach impacting an unspecified number of people’s personal information and protected health information. According to HCPF, their systems were not breached, rather the problem impacted vendor software used by many organizations.
Progress Software, the maker of the MOVEit transfer application, announced publicly they discovered evidence of a cybersecurity incident incident in late May. That company notified its partners of the problem, including IBM, who is a vendor of HCPF. MOVEit is used to encrypt files during transfers across computer networks.
The Colorado Department of Health Care Policy and Financing began an internal investigation to determine if any internal systems were breached. As of June 13th, the organization has determined no Colorado or HCPF systems were breached by an unauthorized party, however, files used by IBM in the MOVEit transfer application were breached and copied around May 28th.
Information potentially impacted in the attack on the MOVEit application system includes patient names, Social Security numbers, Medicaid ID numbers, Medicare ID numbers, date of birth, home addresses and other contact information, demographic or income information, clinical and medical information (such as diagnosis/condition, lab results, medication, or other treatment information), and health insurance information.
HCPF says it will be offering potentially impacted individuals two years of free credit monitoring and identity restoration services provided through Experian. The organization did not provide an estimate as to how many people may be affected by this security breach.
For those who did not receive written notice of this incident but believe you may be affected, please call the HCPF at 833-346-1583. There hours of operation are below:
- Monday through Friday, 7 a.m. – 9 p.m.
- Saturday and Sunday 9 a.m. – 6 p.m.
Be prepared to provide engagement number B100639.
Read more about the incident on the HCPF’s site.
This article has been updated to reflect the breach originated with a vendor, not HCPF.
No Byline Policy
Editorial Guidelines
Corrections Policy
Source