CareFirst BlueCross BlueShield has become the latest major health insurer to acknowledge having suffered a large-scale cyberattack on its member data.
Information on about 1.1 million individuals was affected by the breach, which CareFirst discovered during an information technology security review conducted in the wake of the attacks on Anthem and Premera. In June 2014, according to CareFirst, hackers gained access to a single database where CareFirst stores data that is entered by members and other individuals in order to access the company’s websites and online services.
Evidence suggests the attackers could have acquired user names created by individuals to access CareFirst’s website, as well as members’ names, birth dates, email addresses and subscriber identification numbers. However, the breached database did not contain any member Social Security numbers, medical claims, employment, credit card or financial information, CareFirst indicated. Passwords also were not affected because they are fully encrypted and stored in a separate system as a safeguard against such attacks.
“We deeply regret the concern this attack may cause,” said CareFirst President and CEO Chet Burrell. “We are making sure those affected understand the extent of the attack — and what information was and was not affected. Even though the information in question would be of limited use to an attacker, we want to protect our members from any potential use of their information and will be offering free credit monitoring and identity theft protection for those affected for two years.”
CareFirst learned of the breach April 21 but did not announce it until May 20. “It was necessary to complete the comprehensive forensic information technology review of all of CareFirst’s systems to understand the nature of the attack, the information potentially accessed, and the members who were affected,” according to the company’s statement. “In addition, the comprehensive review was necessary to determine that there was no evidence of any prior or ongoing attacks and to take steps necessary to ensure the integrity of the system.”