CareFirst data breach affects about 1.1M people

CareFirst BlueCross BlueShield fall victim of a major data breach, personal information belonging more than one million individuals could have been exposed.

Health insurer CareFirst BlueCross BlueShield is notifying more than one million individuals that it was the victim of a data breach which may have exposed personal information used by attackers to gain limited, unauthorized access to one of the company database. The investigators speculate attackers have accessed personal information, including names, birth dates, email addresses and subscriber identification numbers, usernames to access the CareFirst website.

“On May 20, 2015, CareFirst BlueCross BlueShield (CareFirst) announced that the company has been the target of a sophisticated cyberattack. The attackers gained limited, unauthorized access to a single CareFirst database.” states the advisory posted to the website.

“Approximately 1.1 million current and former CareFirst members and individuals who do business with CareFirst online who registered to use CareFirst’s websites prior to June 20, 2014 are affected by this event.”

CareFirst had hired security firm Mandiant to perform an assessment of internal IT systems that revealed the data breach. On April 21, security experts at Mandiant discovered evidence of unauthorized accesses to the database on June 19, 2014. The experts haven’t found evidence of additional attacks against the CareFirst systems.

The advisory highlighted that hackers accessed only usernames explaining that related passwords were stored in encrypted format on a separate system not breached by hackers. The message from CareFirst President and CEO, Chet Burrell confirmed that no member Social Security Numbers, medical claims information or financial information were exposed.

All the individuals potentially exposed by the data breach are being notified, the company urges them to change their credentials and offered two years of free credit monitoring and identity theft protection services.

“All affected members will receive a letter from CareFirst offering two free years of credit monitoring and identity theft protection. The letters will contain an activation code and you must have the letter to enroll in the offered protections. Out of an abundance of caution, CareFirst has blocked member access to these accounts and will request that members create new user names and passwords.”

Be aware of scammers that could try to exploit the incident, CareFirst remarked that it will not be contacting people by email, phone or social media.

Unfortunately, Health insurers are a privileged target of criminal organizations, in February the nation’s second largest health insurer Anthem announced that hackers violated its servers and stolen personal information for about 80 million people.

Pierluigi Paganini

(Security Affairs – CareFirst, data breach)