- CareFirst BlueCross BlueShield (CareFirst) joins the list of healthcare organizations affected by a large cybersecurity attack, as it announced yesterday that approximately 1.1 million current and former members potentially had their information accessed.
The CareFirst health data breach was initiated in June 2014, when cyber attackers gained access to a single database that the organization uses for members and other individuals to access CareFirst’s websites and online services, according to a company statement.
CareFirst stated that “limited personal information” was involved in the health data breach. That information includes member-created user names created by individuals to access CareFirst’s website, members’ names, dates of birth, email addresses and subscriber identification numbers. Social Security Numbers, medical claims information and financial information were not affected.
The health data breach was discovered as a part of CareFirst’s IT security efforts, the company explained, and it had been working with Mandiant for IT examinations. On April 21, 2015, as the assessment was taking place, Mandiant discovered that “a sophisticated cyberattack occurred.” The attack likely led to “limited unauthorized access to a database on June 19, 2014.”
“We deeply regret the concern this attack may cause”, CareFirst President and CEO Chet Burrell said in a statement. “We are making sure those affected understand the extent of the attack – and what information was and was not affected. Even though the information in question would be of limited use to an attacker, we want to protect our members from any potential use of their information and will be offering free credit monitoring and identity theft protection for those affected for two years.”
Members who registered to use CareFirst’s websites prior to June 20, 2014 are affected by this event, according to the organization. Affected individuals will receive notification letters with an activation code, and members will need to use the letter to enroll in the offered protections. In an FAQ on its site, CareFirst added that other BCBS members are not affected by this event.
“Out of an abundance of caution, CareFirst has blocked member access to these accounts and will request that members create new user names and passwords,” the statement read.
The organization also defended its notification timeline in the FAQ section, saying that “it was necessary to complete the comprehensive forensic information technology review of all of CareFirst's systems to understand the nature of the attack, the information potentially accessed, and the members who were affected.” It was also necessary to have a comprehensive review to ensure that there were no ongoing attacks.
Unfortunately, this is not the first BCBS organization to experience a large scale cybersecurity attack this year. Premera Blue Cross announced in March that it was the “target of a sophisticated cyber attack,” affecting approximately 11 million individuals.
Premera discovered the attack on Jan. 29, 2015, and said that the initial attack occurred on May 5, 2014. Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and the health insurer’s affiliate brands Vivacity and Connexion Insurance Solutions, Inc. were all potentially affected. Members of other Blue Cross Blue Shield plans who sought treatment in Washington or Alaska were also affected.