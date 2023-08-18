DENVER (KKTV) - The public should be aware of a data security incident that may impact people in Colorado.

Click here for a news release from Colorado’s Department of Health Care Policy and Financing on the matter. The department oversees Health First Colorado, Colorado’s Medicaid program. The Medicaid program includes Child Health Plan Plus (CHP+), and other health care programs for Coloradans who qualify.

The following is a media release sent out by Maximus Human Service, Inc. on Aug. 18.

The apparent data breach could impact people who utilize government programs through the State of Colorado Department of Human Services, Division of Child Support Services, including the State Directory of New Hires.

KKTV 11 News has reached out to several state agencies for clarification on the data “incident” reported by Maximus, but the following news release was sent to the public:

Maximus Human Services Inc. (Maximus) is providing notice of a data security incident that may affect the privacy of certain individuals’ personal information. Maximus provides services to support certain government programs of the State of Colorado Department of Human Services, Division of Child Support Services (“the Department”), including the State Directory of New Hires. Individuals’ information may have been involved because the Department uses Maximus services to collect information employers are legally mandated to report to the Department and other Child Support Service divisions throughout the country. The incident involved a vulnerability in MOVEit Transfer, a third-party software application provided by Progress Software Corporation (Progress). Maximus is among the many organizations in the United States and globally that have been impacted by the MOVEit vulnerability.

On May 30, 2023, Maximus detected unusual activity in its MOVEit environment. Upon detection, Maximus promptly began to investigate with the help of nationally recognized cybersecurity experts. Early in the day on May 31, 2023, Maximus took the MOVEit application offline. Later that same day, Progress first publicly announced a previously unknown vulnerability in its MOVEit software, which an unauthorized party used to gain access to files of many MOVEit customers. Maximus subsequently applied vendor recommended actions, including applying new patches made available by Progress, to address the vulnerability.

Maximus promptly informed the Department of the incident and has been working with them since notification. Additionally, Maximus engaged a forensic investigation firm and a data analysis firm to identify affected individuals and the types of information involved. Maximus learned that between approximately May 27th through 31st, 2023, the unauthorized party obtained copies of certain files that were saved in the Maximus MOVEit application. Upon receiving this information, Maximus began to analyze the files to determine which data was affected. The investigation determined that the files contained some personal information. Maximus communicated this to the Department on July 20, 2023.

What information was involved?

The analysis has revealed that personal information involved in this incident varied by individual and may include name, social security number, address, and date of birth. At this time Maximus has not identified evidence that data accessed has been improperly used.

What are we doing?

Maximus is offering two years of complimentary credit monitoring, identity restoration and fraud detection services through Experian.

Although the investigation has determined that the incident did not impact Maximus systems directly, beyond Maximus’ MOVEit environment, Maximus continues to enhance its cybersecurity posture to safeguard against ever evolving cyber threats, monitor for unusual activity and vulnerabilities, and apply vendor recommended actions as applicable. Maximus has also notified and is cooperating with law enforcement.

What can affected individuals do?

As good practice, it is recommended that individuals regularly monitor account statements and monitor free credit reports. If individuals identify suspicious activity, individuals should contact the company that maintains their account on their behalf.

For more information:

The Department takes the privacy and security of personal information very seriously and regrets that this incident occurred. For questions or additional information, individuals can call 1-833-919-4749 toll-free. This call center is open Monday through Friday from 8 am – 10 pm Central, or Saturday and Sunday from 10 am – 7 pm Central (excluding major U.S. holidays). Individuals that received a notification letter in the mail should be prepared to provide the engagement number provided in that letter.

