• United States



Senior Staff Writer

CareFirst data breach affects 1.1 million people

May 20, 20152 mins
CybercrimeData and Information SecurityData Breach

Mandiant discovered the breach after being hired to perform an assessment

healthcare security hp
Credit: Thinkstock

On Wednesday, CareFirst BlueCross BlueShield (CareFirst) disclosed a data breach that impacts 1.1 million current and former members, who registered to use the insurer’s websites or who did business with them online prior to June 20, 2014.

CareFirst stated that they detected the initial compromise and took action to contain the attack. The assumption made was that their actions helped avoid a crisis.

“At the time CareFirst believed that we had contained the attack and prevented any actual access to member information. The evidence that data was accessed was found as part of a comprehensive assessment conducted as part of CareFirst’s ongoing information security efforts in the wake of cyberattacks on other health care companies,” the insurer stated.

The full impact of the breach was confirmed later by Mandiant after the security firm was hired to perform and audit at CareFirst.

The audit was part of a pro-active response plan in the wake of several other healthcare related incidents last year, including those that affected other BlueCross BlueShield providers and Anthem.

According to statements released by the company, while the IT staff thought they’d contained the incident, the attackers were able to access a database on June 19, 2014.

The database stored information that members and other individuals used to conduct business with CareFirst online. The data exposed includes usernames, birth dates, email addresses and subscriber numbers.

CareFirst says that no other PII was exposed during the incident, including Social Security Numbers, medical claims, employment records, or financial data.

While CareFirst stresses that accounts are safe because the attackers didn’t access encrypted passwords stored outside of the compromised database, what the insurer isn’t saying is that the attackers did get enough information to conduct Phishing campaigns.

Within the next three weeks, CareFirst will be notifying 1.1 million people in Maryland, the District of Columbia, and parts of Virginia about the incident, offering them two years of credit monitoring.

CareFirst has also blocked member access to the affected accounts online, until new passwords and usernames have been created.