It was only a matter of time until a big regional Blue Cross insurer got hacked, except that time was a year ago and security experts just recently uncovered it.
Baltimore-based CareFirst BlueCross BlueShield, insurer in Washington, Maryland and Virginia, has disclosed that data on 1.1 million members was breached in a cyberattack last June.
The attack compromised the names, dates of birth, email addresses, member ID numbers and usernames of 1.1 million members. It went undetected by the insurer, said CareFirst CEO Chet Burrell. Cybersecurity consultant Mandiant "was the firm that actually discovered the attack," in an end-to-end testing of the company's data systems commissioned in the wake of the Anthem and Premera hackings.
As Healthcare IT News security expert Erin McCann noted, CareFirst officials said the breach was a "sophisticated cyberattack"but it may not have necessarily been very advanced. Like the other two hackings, this one may have partly been about vulnerability.
"I have never found an insurance company that required a sophisticated attacking incident. Period," Kevin Johnson, founder of security consulting firm Secure Ideas, told Healthcare IT News. Insurers "have tons of systems. They have tons of tests,. It's a huge conglomeration of stuff," said Johnson, who spent seven years at Florida Blue.
Mandiant found that in June 2014 cyberattackers gained access to a single CareFirst database with data that members use for online services. CareFirst user names must be used in conjunction with a member-created password, and the database did not include the passwords, which were encrypted, the insurer said. No Social Security numbers, medical claims, employment, credit card, or financial information were breached.
"We are making sure those affected understand the extent of the attack, and what information was and was not affected," said Burrell. "Even though the information in question would be of limited use to an attacker, we want to protect our members from any potential use of their information and will be offering free credit monitoring and identity theft protection for those affected for two years."
In "an abundance of caution," CareFirst has blocked member access to these accounts and will ask them to create new usernames and passwords.