IBM hit by hackers leading to theft of over 4 mn Americans’ health data

San Francisco: Hackers exploited a zero-day vulnerability in the MOVEit file-transfer software leading to the theft of sensitive medical and health information data of millions of Americans, the US authorities have revealed.

The Colorado Department of Health Care Policy and Financing (HCPF) said it had fallen victim to the MOVEit mass hacks, consequently exposing the data of more than 4 million patients.

In an official statement, the department said that the data breach occurred due to the use of the MOVEit application by IT major IBM for the routine transfer of HCPF data files.

Cybercriminals took advantage of a previously unknown security flaw in the MOVEit file-transfer software to illicitly obtain confidential medical and health data belonging to millions of US citizens.

“IBM, a third-party vendor contracted with HCPF, uses the MOVEit application to move HCPF data files in the normal course of business,” said the department.

“Progress Software publicly announced that the MOVEit problem was the result of a cybersecurity incident, which impacted many users around the world, including IBM. No HCPF or State of Colorado systems were affected by this issue,” it added.

Also Read: X fined $350K for delayed response to Trump's account search warrant

After IBM notified HCPF that it was impacted by the MOVEit incident, the Colorado department launched an investigation to understand whether the incident impacted its own systems and to determine whether Health First Colorado or CHP+ members’ protected health information was accessed by an unauthorised party.

“The investigation identified that certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorised actor. These files contained certain Health First Colorado and CHP+ members’ information,” the department revealed.

The information that could have been subject to unauthorised access includes name, Social Security number, medical information, and health insurance information.

The HCPF admitted about 4.1 million individuals are affected.

IBM has yet to publicly confirm that it was affected by the MOVEit mass hacks.

Maximus, a US government services contracting company, in July, confirmed that hackers exploited a vulnerability in MOVEit Transfer to access the protected health information of 8 to 11 million individuals.

Maximus is a contractor that manages and administers federal and local government-sponsored programmes, as well as student loan servicing.

The breach is believed to be the largest healthcare data breach of the year, as well as the most serious to result from the MOVEit mass-hackings.

In the US Securities and Exchange Commission (SEC) filing, Maximum revealed that the data was stolen by exploiting a zero-day vulnerability in the MOVEit file transfer application.

Also Read: Apple to shut down its iTunes Movie Trailers app

Tags: