Colorado Department of Health Care Policy & Financing: 4,662,668 Individuals Affected by MOVEit Hack
The Colorado Department of Health Care Policy & Financing has issued an updated breach notification to the Maine Attorney General confirming that the sensitive data of 4,662,668 individuals was compromised when the Clop hacking group exploited a vulnerability in Progress Software’s MOVEit Transfer solution in May 2023. MOVEit was used by its business associate, IBM, for file transfers. Progress Software issued a patch to fix the vulnerability on May 31, 2023; however, the flaw had already been exploited.
The Colorado Department of Health Care Policy & Financing has been investigating the breach to determine what data was involved and has confirmed that the protected health information of Health First Colorado and CHP+ members was involved, as well as the data of applicants, providers, provider and member-affiliated individuals, and individuals who may provide additional coverage to Health First Colorado and CHP+ members. The compromised data included full names, Social Security numbers, and insurance policy identifiers.
Previous notifications were issued by the Colorado Department of Health Care Policy & Financing on August 11, 2023, and October 3, 2023, with the latest batch of notifications sent on February 19, 2024, to further individuals whose data was confirmed on January 17, 2024, as having been affected. The affected individuals have been offered complimentary credit monitoring and identity theft protection services.
Aspen Dental Confirms April 2023 Ransomware Attack
Aspen Dental Management, a Chicago, IL-based dental service organization, has announced that it fell victim to a ransomware attack on April 25, 2023, and that the attackers potentially accessed and exfiltrated files containing the sensitive data of patients. The breached information includes names, dates of birth, Social Security numbers, state ID/driver’s license information, health and insurance information, banking information, and biometric data.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
No evidence was found to indicate that there has been any misuse of patient data; however, as a precaution, individuals whose Social Security numbers were involved have been offered complimentary credit monitoring services. Aspen Dental Management provides administrative and business support services to Aspen Dental-branded practices and supports more than 1,000 practices in the United States. Aspen Dental reported the data breach to the HHS’ Office for Civil Rights in August 2024 as involving the protected health information of 62,183 individuals.
Lexington Medical Center Suffers Email Account Breach
Lexington Medical Center in South Carolina has experienced a breach of an employee’s email account and data drive. Suspicious activity was detected in the email account and the forensic investigation confirmed that the account was first accessed by an unauthorized individual on October 4, 2023. On January 18, 2024, Lexington Medical Center confirmed that the email account and data drive contained a limited number of files that included patients’ protected health information.
The information in those files included full names, dates of birth, medical record numbers, health insurance identification numbers, patient charge descriptor information, billing codes, and for a limited number of individuals, Social Security numbers. No evidence has been found to indicate actual or attempted misuse of the impacted data. Notification letters were mailed to the affected individuals on February 12, 2024, and individuals who had their Social Security numbers exposed have been offered complimentary credit monitoring services.
The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.
