Colorado Department of Health Care Policy & Financing Discloses Massive Data Breach

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

In recent months, millions of Americans have been affected by data breach incidents involving healthcare organizations. The Colorado Department of Health Care Policy & Financing (HCPF) revealed that personal and health information of around 4.1 million individuals was compromised in a MOVEit-related data breach attack.

The government department is responsible for managing the Health First Colorado (Colorado’s Medicaid program), Child Health Plan Plus (CHP+), and other health programs for citizens with disabilities, the elderly, and low-income families.

In the notice, HCPF said that the incident did not directly impact its systems, rather the data compromise happened because of IBM, which is one its vendors. IBM utilizes the MOVEit application to transfer certain HCPF files. The breach is said to have occurred on or about May 28.

On being notified by IBM, the state agency launched an immediate investigation to confirm whether any of its systems had been impacted, and to determine if any personal or/and health data of the citizens had been accessed by the threat actors.

‘’While HCPF confirmed that no HCPF systems or databases were impacted, on June 13, 2023, the investigation identified that certain HCPF files on the MOVEit application [..] were accessed [..]. These files contained certain Health First Colorado and CHP+ members’ information,’’ the notice revealed.

The extracted information included personal information like few individuals’ full name, date of birth, home address, Social Security Number, demographic or income information, health insurance details and diagnostic, medication, treatment information.

According to the department, 4,091,794 individuals have been impacted by this incident. HCPF has per the government guidelines has informed the impacted people and the concerned regulatory division, i.e., Maine Attorney General’s office. It is also providing two years of credit monitoring services through Experian.

Earlier this month, the Colorado Department of Higher Education (CDHE) had disclosed a similar MOVEit unrelated data breach incident that had compromised student and faculty information.

TunnelCrack: New Security Vulnerabilities Deprives Users of VPN Protection

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

A study carried out by researchers from New York University and KU Leuven revealed security and privacy vulnerabilities (dubbed TunnelCrack ) in VPN clients. These vulnerabilities can be exploited in two attacks that can leak user traffic outside the encrypted tunnel.

The two resultant attacks, ‘LocalNet’ And ‘ServerIP,’ are a result of how VPN clients configure operating systems (OS) to route traffic through VPN tunnels. This is done by updating the system’s IP routing tables with some routing exceptions, like traffic to and from the local network and VPN server.

The research revealed that these routing exceptions can be exploited by using dubious WiFi access points or spoofed DNS responses, allowing selected traffic to bypass the encrypted tunnel. Moreover, the attacks are independent of any protocol used by the connection.

LocalNet attack, also deemed as CVE-2023-36672 requires an attacker to establish and trick a victim into connecting to the rogue WiFi access point. Generally, public hotspots that are a part of the local network and of interest to the target are utilized. Once connected, the target is assigned the said IP address and subnet.

As most VPNs allow direct access to the local network, when connected, this form of traffic transmission falls under the routing exception and bypasses the encrypting tunnels.

This form of attack can be mitigated by checking the option of disabling local traffic in VPN settings. Although, this would make all traffic pass through the VPN tunnel, it would restrict use of local networks like streaming videos to a TV, when connected to a VPN.

ServerIP attack, dubbed as CVE-2023-36673 manipulates the design flaw most commonly found in VPNs – non-encryption of traffic directed towards VPN servers. To deploy this attack, the adversary spoofs the DNS server that an interested victim connects to and redirects the victim’s network traffic to the adversary-controlled server. This allows the attacker to modify and control the unencrypted traffic.

This attack can be mitigated by setting up a secure DNS like, DNS over TLS or DNS over HTTPS, which will help improve network security. Moreover, VPN users should also check and install security updates as and when available.

The study involved 67 VPN products (free, paid, open-source, commercial, and built-in VPN clients) and different versions of Windows, Linux, iOS, macOS, and Android operating systems.