Article Lead Image

Photo by frankieleon/Flickr (CC BY 2.0)

1.1 million Blue Cross Blue Shield members hit in cyberattack on CareFirst

Neither Social Security numbers nor any financial information was stolen, they say.


Dell Cameron


Posted on May 20, 2015   Updated on May 28, 2021, 7:06 pm CDT

Once again, hackers have targeted the health-insurance industry.

CareFirst, a not-for-profit health-services company with the Blue Cross Blue Shield Association, revealed on Wednesday that it was the target of a cyberattack, and as many as 1.1 million records of current and former members may have be stolen.

An investigation, conducted by American cybersecurity firm Mandiant, revealed that in June 2014 “cyberattackers” breached CareFirst’s security and accessed a single database containing member data.

The database did not contain passwords; however, the accounts of potentially affected users have been suspended and they’ve been asked to create new accounts.

In a statement on Wednesday, CareFirst, whose customers are located in Maryland; Washington, D.C.; and parts of Virginia, downplayed the significance of the stolen data:

Evidence suggests the attackers could have potentially acquired member-created user names created by individuals to access CareFirst’s website, as well as members’ names, birth dates, email addresses and subscriber identification number.

However, CareFirst user names must be used in conjunction with a member-created password to gain access to underlying member data through CareFirst’s website. The database in question did not include these passwords because they are fully encrypted and stored in a separate system as a safeguard against such attacks. The database accessed by attackers contained no member Social Security numbers, medical claims, employment, credit card, or financial information.

CareFirst President and CEO Chet Burrell said his company was offering potentially affected members two years of free credit monitoring and identity theft protection services, while emphasizing that neither Social Security numbers nor financial information was put at risk. 

Burrell did not say who was behind the cyberattack or whether Mandiant was able to identify the perpetrators.

“Cyberattacks on businesses have, regrettably, become all too common. We understand that news of a cyberattack on [CareFirst] is a cause of concern for our members and others with whom we do business,” Burrell said. “Maintaining the privacy and security of our members’ personal information is one of our highest priorities.”

This marks the third major cyberattack on the health-insurance industry so far this year. Hackers targeted Premera Blue Cross in March, putting at risk some 11 million people. And in February, Anthem, Inc. revealed that it had suffered a “very significant” cyberattack that jeopardized the personal data of nearly 80 million people.

Photo by frankieleon/Flickr (CC  BY 2.0)

Share this article
*First Published: May 20, 2015, 6:22 pm CDT