Insurer CareFirst Confirms ‘Sophisticated’ Hackers Stole 1.1 Million Customer Records
CareFirst, a Blue Cross Blue Shield health insurer, announced on Wednesday that it was the target of a "sophisticated cyberattack," making it the third major healthcare player this year to suffer a security breach. In this instance, CareFirst estimates that around 1.1 million current and former members and individuals who do business with CareFirst online who registered before June 20, 2014, are affected.
The health insurer enlisted the help of Mandiant, a leading cybersecurity firm, to audit its systems for any suspicious activity following the recent hacker attacks affecting other health insurers. Unfortunately for CareFirst, Mandiant's end-to-end examination of its IT environment found evidence that CareFirst was hit with a security breach and that the attackers may have acquired member usernames created by individuals when registering to use the company's website, real names, birth dates, email addresses, and subscriber identification numbers.
"We deeply regret the concern this attack may cause," said CareFirst President and CEO Chet Burrell. "We are making sure those affected understand the extent of the attack – and what information was and was not affected. Even though the information in question would be of limited use to an attacker, we want to protect our members from any potential use of their information and will be offering free credit monitoring and identity theft protection for those affected for two years."
The cyber invasion occurred in June of last year when attackers gained access to a single database. Luckily for CareFirst, there's no evidence to suggest there were any prior or subsequent attacks, or that any other personal information was accessed, such as credit cards, social security numbers, medical records, and so forth.
CareFirst also said that it encrypts and stores member-created passwords in a separate system to safeguard against this very thing. Or in other words, the damage could have been much worse.
The health insurer enlisted the help of Mandiant, a leading cybersecurity firm, to audit its systems for any suspicious activity following the recent hacker attacks affecting other health insurers. Unfortunately for CareFirst, Mandiant's end-to-end examination of its IT environment found evidence that CareFirst was hit with a security breach and that the attackers may have acquired member usernames created by individuals when registering to use the company's website, real names, birth dates, email addresses, and subscriber identification numbers.
"We deeply regret the concern this attack may cause," said CareFirst President and CEO Chet Burrell. "We are making sure those affected understand the extent of the attack – and what information was and was not affected. Even though the information in question would be of limited use to an attacker, we want to protect our members from any potential use of their information and will be offering free credit monitoring and identity theft protection for those affected for two years."
The cyber invasion occurred in June of last year when attackers gained access to a single database. Luckily for CareFirst, there's no evidence to suggest there were any prior or subsequent attacks, or that any other personal information was accessed, such as credit cards, social security numbers, medical records, and so forth.
CareFirst also said that it encrypts and stores member-created passwords in a separate system to safeguard against this very thing. Or in other words, the damage could have been much worse.
