Over millions of people in the US had their private medical info stolen by hackers who found a sneaky way into IBM’s super popular MOVEit file transfer software.
The Colorado Department of Health Care Policy and Financing (HCPF), the folks in charge of Colorado’s Medicaid program, got hit hard, and more than 4 million patient records were exposed.
Hackers target IBM
HCPF had to notify people affected, explaining that the data got compromised because IBM, one of their vendors, was using MOVEit to move around HCPF’s files. No HCPF or Colorado government systems got messed with, but the bad actors got into some HCPF files on the MOVEit app that IBM was using.
And here’s what those files held: full names, birthdays, addresses, Social Security digits, Medicaid and Medicare ID numbers, money info, medical details like lab results and meds, and health insurance.
All in all, around 4.1 million people got caught up in this mess.
Hackers did not damage the network; they just stole data.
This attack on IBM’s MOVEit systems also got to Missouri’s Department of Social Services (DSS), affecting many people. Missouri has more than 6 million residents. DSS made it clear that this data breach didn’t mess with their systems directly, but it did mess with the data they had. So, names, client numbers, birthdates, benefits info, and medical claims data might’ve been nabbed.
Surprisingly, neither HCPF nor DSS are showing up on the dark web, where the Clop ransomware gang is bragging about their hacks. Those hackers are about “government data,” but these two aren’t listed.
Another govt department was hacked.
Right on the heels of all this chaos, the Department of Higher Education got hit with ransomware, too. Hackers swiped have 16 years’ worth of data. Last month, Colorado State University got caught up in a MOVEit-related mess, affecting lots of students and staff.
PH Tech, which handles data for several healthcare insurers, got tangled up in the MOVEit hacks. They’re saying 1.7 million Oregon residents’ health info got hit.
But the most significant breach this year, unrelated to MOVEit, belongs to HCA Healthcare. They accidentally left out the welcome mat for hackers, and 11.2 million people’s names, addresses, and appointment info walked right in.
