CareFirst notifies 6,800 members of email phishing attack

CareFirst BlueCross BlueShield has notified 6,800 members that their personal information may have been compromised as part of an email phishing attack at the beginning of last month. 

On March 12, the Maryland insurer determined one of its employees fell victim to a deceptive email campaign. The attackers gained access to the employee’s email and could have potentially viewed personal information for nearly 7,000 members, including member identification numbers. A small number of records included social security numbers, but no financial or medical information was compromised, CareFirst said in an announcement.

“The original phishing message and the resulting spam messages have been forensically examined by CareFirst’s information security team as well as by a 3rd party information security firm,” the company wrote. “CareFirst’s systems in general were also forensically analyzed. There was no evidence of malware in the phishing email or spam and no other suspicious activity was detected within CareFirst’s systems. The individual email account was reset.”

CareFirst will offer two years of free credit monitoring to those affected.

The notification comes weeks after the Supreme Court denied CareFirst’s appeal to review a lawsuit stemming from a 2014 data breach that compromised information for 1.1 million members. A D.C. appeals court previously ruled that members of the class-action lawsuit had sufficiently demonstrated the possibility of harm associated with the breach was substantial enough to bring claims against the insurer.

Phishing scams are frequently used by attackers to gain access to healthcare systems, and research shows unintended disclosures account for a large chunk of reported breaches. Earlier this year, a Florida agency that oversees the state’s Medicaid program said a phishing attack potentially impacted 30,000 individuals.