The Colorado Department of Health Care Policy and Financing (HCPF) on Friday notified more than four million people that their personal healthcare data was exposed in a breach of Progress Software’s MOVEit transfer application.
The case demonstrates that these MOVEit cases are no longer just incidents that involve Progress Software customers and the attackers are also targeting health care organizations.
Last month, government contracting company Maximus confirmed that hackers exploiting a MOVEit vulnerability accessed the protected health information of nearly 11 million people. Maximus contracts with federal, state and local governments to manage and administer government programs such as Medicaid, Medicare, healthcare reform, and welfare-to-work.
The latest HCPF incident was reported to the Colorado health care agency by IBM, which also uses the MOVEit software. While HCPF confirmed that no other HCPF systems or databases were impacted, on June 13, the agency’s investigation identified that certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor on or about May 28.
These files contained the following information: full names, Social Security numbers, Medicaid ID numbers, Medicare ID numbers, dates of birth, home addresses and other contact information, demographic or income information, clinical and medical information, and health insurance information.
For broader context, Emsisoft reports that as of Aug. 12, 668 organizations have been affected by the MOVEit hack, representing more than 46 million people. Emsisoft’s data was sourced from state breach notifications, SEC filings, and other public disclosure, as well as the Cl0p ransomware gang’s website, the group that has publicly claimed responsibility for these attacks.
Critical vulnerabilities like this one that are remotely exploitable and are already being exploited in the wild are the most urgent, said Will Long, chief security officer at First Health Advisory. Long said organizations must have the visibility and tools to determine if they are affected quickly. If an organization gets hit, these types of vulnerabilities need to get mitigated as an emergency: waiting or delays can only lead to more risk.
“The organization must have an emergency procedure to allow fast testing-mitigation of these to mitigate the risk,” said Long. “Bad actors move quickly and will find and exploit these vulnerabilities in the organizations or industries they target. Healthcare maintains lots of personal and healthcare data — these organizations are frequent targets for sensitive data attacks.”
Long added that the MOVEit vulnerability and associated risks are good examples of why third-party risk management and vulnerability management are so important. Long said organizations must have well-organized third-party risk management programs that understand the vendors, products, applications, dataflows in and out of their organizations.
Additionally, organizations need to respond quickly to vulnerability announcements using their inventory, third-party risk data and make a remediation plan very quickly, he continued.
“If either or both of these programs lack maturity, efficiency, and are not tied in well with the other cyber risk management programs, it can lead to significant impacts on an organization’s systems and or data, said Long.
Jim Kelly, regional vice president for endpoint security at Tanium, added that this customer was hit because of a service that was used by one of its providers. It appears that IBM did the right thing by notifying them, however, since HCPF’s systems didn't appear to be involved, and the data was leaked — likely as part of normal operations procedures in good faith with their service provider — there are limited ways they could have prevented the event.
“These methods include routinely evaluating the data being requested or transferred to understand risk factors for the data and ensuring there are clear procedures on safeguarding and handling of sensitive data: in transit, in storage, and the security and vulnerability procedures of your service providers,” said Kelly.
