CareFirst BlueCross BlueShield on Wednesday announced that it was the target of a cyberattack that compromised information of about 1.1 million current and former consumers, as well as individuals who conducted business with the company online. The attack was discovered last month during information technology security efforts conducted in the wake of other recent high-profile cyberattacks on fellow payers Anthem and Premera discovered earlier this year.
Unspecified attackers gained access to a single encrypted database in which CareFirst stores website access information on June 19, 2014, according to CareFirst. Compromised information includes consumer usernames for CareFirst's website, as well as names, birth dates, email addresses and subscriber identification numbers. No Social Security or financial information was stored in the database, and passwords also were not compromised.
According to a report from The Daily Beast, Chinese hackers are responsible for the attack on the insurer, which serves customers in the District of Columbia, Maryland and parts of Virginia. However, CareFirst does not confirm who is responsible on its website, and could not comment when asked for clarification in a phone call.
Likewise, the Federal Bureau of Investigation could not clarify to FierceHealthIT the origin of the attacks due to the ongoing investigation. In a statement emailed to FierceHealthIT, the agency said it is working with the company to determine the nature and scope of the incident.
"Individuals contacted by the company should take steps to monitor and safeguard their personally identifiable information and report any suspected instances of identity theft to the FBI's Internet Crime Complaint Center at ic3.gov," the statement reads. "Similar to other recent intrusions, this incident underscores the importance of rapidly notifying law enforcement once a breach has been detected, as doing so allows the FBI to quickly deploy our cyber experts to preserve evidence and work with incident responders to help recover their networks. Cybercrime remains a significant threat and the FBI will continue to devote substantial resources and efforts to bringing cyber criminals to justice."
In a frequently asked questions section, CareFirst says that information for members who created online accounts at carefirst.com prior to June 20, 2014, was potentially accessed; those who enrolled on or after June 20, 2014, are not affected.
CareFirst is mailing letters to individuals impacted by the breach; those affected should expect to receive such notification within one to three weeks. The insurer also will provide two years of free credit monitoring and identify theft protection services for those impacted.
"We deeply regret the concern this attack may cause," CareFirst President and CEO Chet Burrell said in a statement. "We are making sure those affected understand the extent of the attack--and what information was and was not affected."