Personal info of 1.1M customers stolen in CareFirst breach

CareFirst, a Blue Cross Blue Shield plan, has announced that they have suffered a breach in which the attackers gained access to one of their databases.

“Evidence suggests the attackers could have potentially acquired member-created user names created by individuals to access CareFirst’s website, as well as members’ names, birth dates, email addresses and subscriber identification number,” the company noted.

“However, CareFirst user names must be used in conjunction with a member-created password to gain access to underlying member data through CareFirst’s website. The database in question did not include these passwords because they are fully encrypted and stored in a separate system as a safeguard against such attacks. The database accessed by attackers contained no member Social Security numbers, medical claims, employment, credit card, or financial information.

The breach dates back to June 20, 2014, and was discovered by experts of cyber security firm Mandiant, who were called in to assess the company’s IT environment in the wake of the Anthem and Premera breaches. The breach was discovered partway through this assessment, on April 21, 2015.

It’s interesting to note that the company says they actually did detect the initial attack, that they tried to contain it and believed they had.

They estimate that around 1.1 million current and former CareFirst members and individuals who registered with CareFirst’s websites before June 20, 2014, have been affected by the breach. All those people will be provided two free years of credit monitoring and identity theft protection, and will be forced to change their login credentials.

They have warned affected users that they will be receiving a letter with the personalized code to enroll in those services, and to be wary of inquiries by phone, email or social media purporting to be related to this attack, as they do not plan to contact affected users though those channels.

“This is the third Blue Cross/Shield, along with Premera and Anthem, to be hit with a major breach. In all three cases, the length of time the attacker was in their network before they knew about it was quite long. This is very troubling,” Eric Cowperthwaite, VP of advanced security and strategy, Core Security, commented.

“If you can’t prevent an attack, and you can’t detect an attack, you have a very big problem. It appears that the health insurance industry has this very big problem. The healthcare industry must wake up and realize that they are subject to the same threats the financial services industry faces.”