Once again, hackers have targeted the health-insurance industry.
CareFirst, a not-for-profit health-services company with the Blue Cross Blue Shield Association, revealed on Wednesday that it was the target of a cyberattack, and as many as 1.1 million records of current and former members may have be stolen.
An investigation, conducted by American cybersecurity firm Mandiant, revealed that in June 2014 “cyberattackers” breached CareFirst’s security and accessed a single database containing member data.
The database did not contain passwords; however, the accounts of potentially affected users have been suspended and they’ve been asked to create new accounts.
In a statement on Wednesday, CareFirst, whose customers are located in Maryland; Washington, D.C.; and parts of Virginia, downplayed the significance of the stolen data:
Evidence suggests the attackers could have potentially acquired member-created user names created by individuals to access CareFirst’s website, as well as members’ names, birth dates, email addresses and subscriber identification number.
However, CareFirst user names must be used in conjunction with a member-created password to gain access to underlying member data through CareFirst’s website. The database in question did not include these passwords because they are fully encrypted and stored in a separate system as a safeguard against such attacks. The database accessed by attackers contained no member Social Security numbers, medical claims, employment, credit card, or financial information.
CareFirst President and CEO Chet Burrell said his company was offering potentially affected members two years of free credit monitoring and identity theft protection services, while emphasizing that neither Social Security numbers nor financial information was put at risk.
Burrell did not say who was behind the cyberattack or whether Mandiant was able to identify the perpetrators.
We understand your concerns. Visit https://t.co/rpvnXb1X16 for information related to the cyberattack on CareFirst.— CareFirst BlueCross BlueShield (@CareFirst) May 20, 2015
“Cyberattacks on businesses have, regrettably, become all too common. We understand that news of a cyberattack on [CareFirst] is a cause of concern for our members and others with whom we do business,” Burrell said. “Maintaining the privacy and security of our members’ personal information is one of our highest priorities.”
This marks the third major cyberattack on the health-insurance industry so far this year. Hackers targeted Premera Blue Cross in March, putting at risk some 11 million people. And in February, Anthem, Inc. revealed that it had suffered a “very significant” cyberattack that jeopardized the personal data of nearly 80 million people.
Photo by frankieleon/Flickr (CC BY 2.0)