A government department in Colorado is the latest victim of a third-party attack by Russia’s Cl0p ransomware group in connection with the MOVEit Managed File Transfer platform. Department officials say that the group stole the personal health data of about 4 million members of state health programs from IBM-managed systems.

On May 31, the Colorado Department of Health Care Policy & Financing (HCPF) noticed a problem — ultimately determined to be a cybersecurity incident — affecting its MOVEit Transfer application, according to a public notice by the department available online. IBM, a third-party contractor with HCPF, uses the application to move HCPF data files “in the normal course of business.”