Skip to Content
News

CO Dept. of Health Care Policy & Financing reports data breach

HCPF
By
Published 4:58 PM

DENVER, Colo. (KRDO) -- The Colorado Department of Health Care Policy and Financing (HCPF) reported Friday what it is calling a "recent data security incident that involves certain individuals’ personal information and/or protected health information."

The HCPF oversees Health First Colorado (Colorado’s Medicaid program), Child Health Plan Plus (CHP+), and other healthcare programs for Coloradans who qualify.

According to the HCPF, on May 31, 2023, Progress Software discovered a problem affecting its MOVEit® Transfer application. IBM, a third-party vendor contracted with HCPF, uses the MOVEit application to move HCPF data files in the normal course of business. Progress Software publicly announced that the MOVEit problem was the result of a cybersecurity incident, which impacted many users around the world, including IBM. No HCPF or State of Colorado systems were affected by this issue. 

The HCPF said that after IBM notified HCPF that it was impacted by the MOVEit incident, HCPF launched an investigation right away to understand whether the incident impacted HCPF’s own systems, and to determine whether Health First Colorado or CHP+ members’ protected health information was accessed by an unauthorized party. The HCPF said they confirmed that no other HCPF systems or databases were impacted, on June 13, 2023, the investigation identified that certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor on or about May 28, 2023. These files contained certain Health First Colorado and CHP+ members’ information. HCPF has since learned that certain individuals’ information was included in these files.

According to the HCPF, the information may have included one or more of the following pieces of information for certain individuals: full name, Social Security number, Medicaid ID number, Medicare ID number, date of birth, home address and other contact information, demographic or income information, clinical and medical information (such as diagnosis/condition, lab results, medication, or other treatment information), and health insurance information. 

The HCPF said it apologizes for any inconvenience this incident may cause and its vendors are reviewing their policies, procedures, and cybersecurity safeguards to further protect their systems. The department also said that as an added precaution, it is offering potentially impacted individuals two years of free credit monitoring and identity restoration services provided through Experian.

For more information, visit HCPF’s website,

Article Topic Follows: News

Jump to comments ↓

Author Profile Photo

KRDO News

BE PART OF THE CONVERSATION

KRDO NewsChannel 13 is committed to providing a forum for civil and constructive conversation.

Please keep your comments respectful and relevant. You can review our Community Guidelines by clicking here

If you would like to share a story idea, please submit it here.

Skip to content