CareFirst BlueCross BlueShield announced yesterday that attackers gained access to a single company database containing the sensitive and personal information of more than a million of its current and former health insurance customers.
BlueCross BlueShield (BCBS) is a federation of health insurance providers serving nearly one-third of the U.S. population. CareFirst is the mid-Atlantic subsidiary of BCBS, delivering health insurance to customers in the District of Columbia, Maryland and Virginia.
In an effort to downplay the attack, CareFirst CEO Chet Burrell and other spokespersons are claiming that Social Security numbers, medical claims, employment, payment card and financial information were not exposed in the breach. However, the database did contain member-created user names, names, birth dates, email addresses and subscriber identification numbers. The breach did not expose passwords, which were both encrypted and stored on a separate server.
Trent Telford, CEO of data security firm Covata, told Threatpost in an email that it’s not always clear why an attacker might want to steal certain information, like names and addresses and usernames, but that doesn’t mean these sorts of data don’t hold value.
“If a company holds personal information on behalf of its customers, partners and employees it is its responsibility to encrypt it and remove the inherent value of this data for thieves and malicious actors,” Telford said. “It is encouraging in the case of CareFirst BlueCross BlueShield that some of its valuable customer data is safe because it is encrypted. The more companies encrypt their customer data, the less they are going to be targets for attacks.”
CareFirst claims it initially detected the attack but incorrectly believed it had contained the attack and prevented the attackers from accessing any information. It only became aware of the full scope of the attack after hiring an incident response firm to perform a network analysis, partly because of a recent spate of cyberattacks targeting similar healthcare companies. The company determined on April 21, 2015, that there was an intrusion of CareFirst’s systems and that it occurred on June 19, 2014. As is the industry standard, CareFirst is offering affected customers two years of free credit monitoring services.
CareFirst is not responding to requests for specific details about the breach, as the incident is part of an ongoing FBI investigation.
CareFirst is in the process of contacting affected customers. Only those customers who registered an online account with CareFirst before June 20, 2014, would have been impacted by the breach. Affected customers will receive an email or an unsolicited phone call with a code redeemable for two years of free credit monitoring. They will also be forced to reset the passwords to their online accounts.