MOVEit Breach Affects IBM, Millions’ Health Data Potentially Accessed

‘There has been no impact to IBM systems,’ a spokesperson tells CRN in an email.

IBM’s use of Progress Software’s compromised MOVEit application appears to have resulted in the unauthorized access of millions of people’s health care information held by two state agencies, one in Colorado and one in Missouri.

In a statement to CRN, an IBM spokesperson said that the vendor “has worked closely with the Colorado Department of Health Care Policy and Financing (HCPF) and the Missouri Department of Social Services to determine and minimize the impact of the breach of MOVEit Transfer, a non-IBM data transfer program provided by Progress Software.”

“Upon receiving notification of the breach from Progress, we moved quickly to isolate potentially impacted systems and have implemented a thorough mitigation plan,” according to the statement. “There has been no impact to IBM systems.”

[RELATED: 8 Tech And IT Companies Targeted In The MOVEit Attacks]

IBM MOVEit Attack

Burlington, Mass.-based Progress discovered a critical vulnerability in its widely used MOVEit file transfer software back in May. The service was used by vendors and solution providers.

Clop, a Russian-speaking cybercriminal group, has claimed responsibility for breaching dozens of organizations by exploiting the vulnerability, and many have confirmed that they were affected. The group behind the hack has also been identified under the names Cl0p, TA505 and Lace Tempest.

The two state agencies join a host of government agencies, banks and universities that are reported victims of the MOVEit attack.

And litigation appears to have already started over the hack, with government contractor Maximus, Johns Hopkins University and the Johns Hopkins Health System, retirement fund TIAA, health care company Performance Health Technology and retirement and life insurance provider Corebridge Financial reportedly targeted by lawsuits, according to multiple media reports.

Colorado Notice

A notice from the Colorado Department of Health Care Policy & Financing (HCPF) puts the total number of people affected by the breach at 4 million and included people who don’t live in the state. The agency issued written notifications about the breach on Friday.

“No HCPF or State of Colorado systems were affected by this issue,” according to the notice.

HCPF posted a statement to its website that says the agency contracts with IBM as a third-party vendor. In May, IBM used MOVEit to move HCPF data files in the normal course of business.

IBM told the agency of the MOVEit incident and the agency investigated. During the investigation, HCPF saw an “unauthorized actor” accessed “certain HCPF files on the MOVEit application used by IBM” on May 28. HCPF discovered the breach on June 13.

However, “HCPF confirmed that no HCPF systems or databases were impacted,” according to the statement.

“HCPF takes information security seriously and apologize(s) for any inconvenience this incident may cause,” according to the statement. “HCPF and its vendors are reviewing their policies, procedures and cybersecurity safeguards to further protect their systems.”

The files included information for members of Health First Colorado – the state’s Medicaid program – and Child Health Plan Plus.

Information the unauthorized actor may have accessed includes:

*Full names

*Social Security numbers

*Medicaid identification (ID) numbers

*Medicare ID number

*Date of birth

*Home address and contact information

*Demographic or income information

*Clinical and medical information such as diagnosis, condition, lab results, medication or other treatment information)

*Health insurance information

Missouri Notice

IBM informed the Missouri Department of Social Services (DSS) on June 13 that the agency “should presume at that time that certain files saved in the MOVEit software application were accessed by an unauthorized user,” according to a statement the agency issued Aug. 8.

IBM’s Consulting wing used MOVEit as part of its work with the agency.

IBM told the agency that it “applied any recommended MOVEit software fixes and had stopped using the MOVEit Transfer application,” according to the statement.

The files may have contained Medicaid participant protected health information, but the agency continues to analyze the contents of the files. “No DSS systems have been found to have been impacted by this incident,” according to the statement.