1.1 Million Affected by CareFirst BlueCross BlueShield Breach

CareFirst BlueCross BlueShield announced this week that hackers broke into one of its databases and made off with a variety of sensitive customer information.

CareFirst BlueCross BlueShield announced yesterday that attackers gained access to a single company database containing the sensitive and personal information of more than a million of its current and former health insurance customers.

BlueCross BlueShield (BCBS) is a federation of health insurance providers serving nearly one-third of the U.S. population. CareFirst is the mid-Atlantic subsidiary of BCBS, delivering health insurance to customers in the District of Columbia, Maryland and Virginia.

In an effort to downplay the attack, CareFirst CEO Chet Burrell and other spokespersons are claiming that Social Security numbers, medical claims, employment, payment card and financial information were not exposed in the breach. However, the database did contain member-created user names, names, birth dates, email addresses and subscriber identification numbers. The breach did not expose passwords, which were both encrypted and stored on a separate server.

Trent Telford, CEO of data security firm Covata, told Threatpost in an email that it’s not always clear why an attacker might want to steal certain information, like names and addresses and usernames, but that doesn’t mean these sorts of data don’t hold value.

“If a company holds personal information on behalf of its customers, partners and employees it is its responsibility to encrypt it and remove the inherent value of this data for thieves and malicious actors,” Telford said. “It is encouraging in the case of CareFirst BlueCross BlueShield that some of its valuable customer data is safe because it is encrypted. The more companies encrypt their customer data, the less they are going to be targets for attacks.”

CareFirst claims it initially detected the attack but incorrectly believed it had contained the attack and prevented the attackers from accessing any information. It only became aware of the full scope of the attack after hiring an incident response firm to perform a network analysis, partly because of a recent spate of cyberattacks targeting similar healthcare companies. The company determined on April 21, 2015, that there was an intrusion of CareFirst’s systems and that it occurred on June 19, 2014. As is the industry standard, CareFirst is offering affected customers two years of free credit monitoring services.

CareFirst is not responding to requests for specific details about the breach, as the incident is part of an ongoing FBI investigation.

CareFirst is in the process of contacting affected customers. Only those customers who registered an online account with CareFirst before June 20, 2014, would have been impacted by the breach. Affected customers will receive an email or an unsolicited phone call with a code redeemable for two years of free credit monitoring. They will also be forced to reset the passwords to their online accounts.

Suggested articles


  • Kevin Buchanan on

    Brian: you are correct. Databases can be encrypted, but there is a cost in performance loss. For each field that is encrypted, there is a amount of CPU process to decrypt the data; thereby reducing the effective number of records that can be process in a given time period. There are means of mitigating the performance loss, either with faster servers, or encryption by the SAN storage. I work at a health system and we estimated an additional 30% in system performance would be necessary in order to maintain the same level of IO throughput vs a non encrypted configuration. In effect, encrypting the data at tests costs several $100k's. Make no mistake, every CIO. Is weighing the risk and benefit of data encryption. But obviously, they aren't always choosing to encrypt. Fines for allowing disclosure of Protected Health Information and Personally Identifiable Information aren't enough deterrent. HIPAA legislation requires data to be encrypted during transit, but it should require data to be encrypted at rest.
  • James on

    Considering most breaches are accomplished with stolen credentials, saying that encryption is the solution isn't entirely accurate. Usually, with the proper credentials, encrypted data is just as accessible as non encrypted. So it simply isn't as easy as saying encrypt your data.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.