Healthcare insurer CareFirst BlueCross Blue Shield confirmed today that it was the victim of a data breach last June that impacts 1.1 million people.
According to information from CareFirst, the attackers gained limited access to a single database in June 2014. The database stores information that members and other individuals enter to access CareFirst’s websites and online services, such as usernames, birthdates and subscriber identification numbers. The database did not however include password information, which is fully encrypted and stored in a separate system as a safeguard against such attacks, CareFirst stated.
The breach was uncovered by a third-party review conducted by security firm Mandiant. Partway through the assessment, Mandiant discovered evidence attackers had infiltrated the database back on June 19, 2014. The database did not include member social security numbers, medical claims, credit card or financial information, and the review did not uncover any evidence of any prior or subsequent attacks.
According to CareFirst, the organization did detect the initial attack and believed it had blocked any unauthorized access to member information. However, in light of attacks against other healthcare companies, the firm sought a comprehensive assessment of its information security efforts, which ultimately uncovered the breach, the company stated.
“We deeply regret the concern this attack may cause,” said CareFirst President and CEO Chet Burrell,” in a statement. “We are making sure those affected understand the extent of the attack – and what information was and was not affected. Even though the information in question would be of limited use to an attacker, we want to protect our members from any potential use of their information and will be offering free credit monitoring and identity theft protection for those affected for two years.”
The breach impacts approximately 1.1 million current and former CareFirst members and individuals who do business with CareFirst online and who registered to use CareFirst’s websites prior to June 20. All affected members will receive a letter from CareFirst offering two years of free credit monitoring and identity theft protection. The letters will contain an activation code that will allow users to enroll in the protection programs.
As a precaution, CareFirst has blocked member access to the impacted accounts and will request members create a new password and username.
According to a recent study from Ponemon Institute, criminal attacks against healthcare organizations have shot up 125 percent since 2010 and are now the leading cause of data breaches in the industry. Almost all of the companies included in the survey (91 percent) had experienced at least one data breach during the last two years, and 39 percent had experienced between two and five. Forty percent reported more than five.
“As we predicted during the recent breaches at insurers Premera and Anthem before them the alarm bells are still sounding for companies in the healthcare industry,” said Kevin Watson, CEO at Netsurion.
“What’s different from the recent Premera breach is that it appears medical and patient information was not exposed in the compromise of CareFirst’s database, which is mildly good news for customers,” he added. “But the amount of data that was stolen, including names, birthdates and email addresses, opens the door for phishing scams.”
CareFirst stated that it has reported the attack to the FBI and is cooperating in the investigation.