Health Care Insurance Data Breach Hits 1.1M Users

CareFirst BlueCross BlueShield, which offers health insurance in Maryland, Washington, D.C., and Virginia, said yesterday (May 20) it had been the victim of a data breach that dates back to June 2014 – when hackers compromised the data of approximately 1.1 million current and former members who registered to use the company’s websites.

Hackers, the company said, compromised one database and may have garnered members’ user names, birthdates, email addresses and ID number info. More sensitive data, such as Social Security numbers, financial info and medical records themselves were not accessed, CareFirst said.

CareFirst has reached out to those members and asked them to create accounts using new names and passwords. The company said in statement on carefirstanswers.com, a site devoted to the breach, that it would be exercising “an abundance of caution” by blocking member access to allegedly hacked accounts.

The company said the breach came to light only recently, after security company Mandiant monitored new security efforts after other U.S. health insurers were similarly attacked by cyberthieves. Mandiant’s “M-Trends 2015” report released earlier this year indicates that the median time to detect a breach is 205 days (just over six months), which is down from 229 days in 2013. And it’s not uncommon for breaches to be caught by outside sources.

CareFirst said affected members will be contacted via letter and will be offered two free years of credit monitoring and identity theft protection.

“We deeply regret the concern this attack may cause,” said CareFirst President and CEO Chet Burrell. “We are making sure those affected understand the extent of the attack – and what information was and was not affected. Even though the information in question would be of limited use to an attacker, we want to protect our members from any potential use of their information and will be offering free credit monitoring and identity theft protection for those affected for two years.”

Other high profile medical info attacks include Anthem Inc., the nation’s second largest insurer, which disclosed earlier this year that medical records of as many as 80 million individuals were accessed illegally. And in March 2015, Premera Blue Cross confirmed that hackers may have been able to get a hold of data tied to 11 million customers in May 2014.