Millions of Americans had their sensitive medical and health information stolen after hackers exploiting a zero-day vulnerability in the widely used MOVEit file transfer software raided systems operated by tech giant IBM.

Colorado’s Department of Health Care Policy and Financing (HCPF), which is responsible for administering Colorado’s Medicaid program, confirmed on Friday that it had fallen victim to the MOVEit mass-hacks, exposing the data of more than four million patients.

In a data breach notification to those affected, Colorado’s HCPF said that the data was compromised because IBM, one of the state’s vendors, “uses the MOVEit application to move HCPF data files in the normal course of business.”

The letter states that while no HCPF or Colorado state government systems were affected by this issue, “certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor.”

These files include patients’ full names, dates of birth, home addresses, Social Security numbers, Medicaid and Medicare ID numbers, income information, clinical and medical data including lab results and medication, and health insurance information.

HCPF says about 4.1 million individuals are affected.

IBM has yet to publicly confirm that it was affected by the MOVEit mass-hacks, and an IBM spokesperson did not respond to a request for comment by TechCrunch.

The breach of IBM’s MOVEit systems also impacted Missouri’s Department of Social Services (DSS), though the number of affected individuals is not yet known. More than six million people live in Missouri state.

In a data breach notification posted last week, Missouri’s DSS said: “IBM is a vendor that provides services to DSS, the state agency that provides Medicaid services to eligible Missourians. The data vulnerability did not directly impact any DSS systems, but impacted data belonging to DSS.”

DSS says that the data accessed may include an individual’s name, department client number, date of birth, possible benefit eligibility status or coverage, and medical claims information.

Neither Colorado’s HCPF nor Missouri’s DSS have been listed on the dark web leak site of the Clop ransomware gang, which has claimed responsibility for the mass attacks hacks. In a message on the site, the Russia-link group claims, “We don’t have any government data.”

The news of Colorado’s latest breach comes just days after the Colorado Department of Higher Education said it had experienced a ransomware incident that saw hackers access and copy 16 years’ worth of data from its systems. Colorado State University also confirmed last month that it had suffered a MOVEit-related data breach impacting tens of thousands of students and academic staff.

Meanwhile, PH Tech, a company that provides data management services to U.S. healthcare insurers, confirmed that it was also affected by the MOVEit hacks, affecting the health information of 1.7 million Oregon residents.

The largest breach of a U.S. healthcare provider so far this year goes to HCA Healthcare, which involved the names, addresses and appointment details of 11.2 million people in a security lapse unrelated to MOVEit.