Sensitive medical and health information of millions of Americans was compromised when cybercriminals leveraged a zero-day vulnerability in the widely used MOVEit file transfer software to breach systems operated by tech giant IBM.

The Colorado Department of Health Care Policy and Financing (HCPF), responsible for administering Colorado's Medicaid program, confirmed the extent of the breach on Friday, revealing that over 4 million patients' data had been exposed.

According to the breach notification sent to affected individuals, the compromised data was linked to IBM's use of the MOVEit application for transferring HCPF data files as part of regular operations. While the incident did not impact HCPF or Colorado state government systems, unauthorized access was gained to certain HCPF files within the MOVEit application managed by IBM.

The breached files contained sensitive information such as patients' full names, dates of birth, home addresses, Social Security numbers, Medicaid and Medicare ID numbers, income details, clinical and medical records (including lab results and medications), and health insurance information.

The breach affected around 4.1 million individuals, as confirmed by HCPF.

IBM has yet to publicly acknowledge its involvement in the MOVEit mass hacks, and there has been no response from an IBM spokesperson when contacted by TechCrunch.

This breach also impacted the Department of Social Services (DSS) in Missouri, although the exact number of affected individuals remains unknown. The DSS noted in a breach notification that IBM is a service provider to the agency responsible for offering Medicaid services. While the DSS systems were not directly impacted, data belonging to the agency was accessed.

Potentially exposed data includes an individual's name, department client number, date of birth, possible benefit eligibility status or coverage, and medical claims information.

Both HCPF in Colorado and DSS in Missouri have not been identified on the dark web leak site connected to the Clop ransomware gang, which has claimed responsibility for the mass hacks. The group, linked to Russia, stated on the site that they lack government data.

This incident in Colorado follows shortly after the Colorado Department of Higher Education reported a ransomware attack that resulted in hackers accessing and copying 16 years' worth of data. In addition, Colorado State University recently confirmed a MOVEit-related data breach affecting tens of thousands of students and academic staff.

Furthermore, PH Tech, a company providing data management services to U.S. healthcare insurers, acknowledged its impact in the MOVEit hacks, affecting the health information of 1.7 million Oregon residents.

Notably, the largest breach involving a U.S. healthcare provider this year is attributed to HCA Healthcare. This breach, unrelated to MOVEit, exposed the names, addresses, and appointment details of 11.2 million individuals.