(The Center Square) – Colorado’s Department of Health Care Policy and Financing is notifying Medicaid enrollees and other participants of its health programs about an entity gaining unauthorized access to personal information in May.

The department is the latest organization in a widespread security incident involving IBM and a third-party application, Progress Software’s MOVEit.

In a media release, the department stated Progress Software discovered a problem with its software, used to move data files. The department said no state of Colorado systems were affected.

The department launched its own investigation after IBM notified them of the incident. On June 13, the department’s investigation found certain files on the MOVEit application used by IBM “were accessed by the unauthorized actor on or about May 28.”

“These files contained certain Health First Colorado and Child Health Plan Plus members’ information,” the release said.

The department said the compromised information may have included one or more of the following items for certain individuals: full name, Social Security number, Medicaid ID number, Medicare ID number, date of birth and home address. Other information at risk includes demographic or income information and health insurance data. The information also included clinical and medical records, such as diagnoses and conditions, lab results, medications and other treatment information.

The department said its vendors are reviewing their policies, procedures and cybersecurity protection to further protect information systems. The department is offering potentially impacted individuals with two years of free credit monitoring and identity restoration services. Federal law provides one free credit report annually from each of the three major credit reporting bureaus: Equifax, Experian and TransUnion. 

The MOVEit vulnerability affected hundreds of organizations throughout the nation and world and millions of individuals, according to an assessment by Reuters.