CareFirst notifies 6,800 members of email phishing attack

Security lock on computer data
CareFirst notified 6,800 members of a phishing email discovered in March. (Getty/gintas77)

CareFirst BlueCross BlueShield has notified 6,800 members that their personal information may have been compromised as part of an email phishing attack at the beginning of last month. 

On March 12, the Maryland insurer determined one of its employees fell victim to a deceptive email campaign. The attackers gained access to the employee’s email and could have potentially viewed personal information for nearly 7,000 members, including member identification numbers. A small number of records included social security numbers, but no financial or medical information was compromised, CareFirst said in an announcement.

“The original phishing message and the resulting spam messages have been forensically examined by CareFirst’s information security team as well as by a 3rd party information security firm,” the company wrote. “CareFirst’s systems in general were also forensically analyzed. There was no evidence of malware in the phishing email or spam and no other suspicious activity was detected within CareFirst’s systems. The individual email account was reset.”

Webinar

Breaking Through the Barriers to Better CX

Please join this webinar to learn how health plans can streamline member engagement and prioritize cross-departmental goals by leveraging CX technology.

CareFirst will offer two years of free credit monitoring to those affected.

The notification comes weeks after the Supreme Court denied CareFirst’s appeal to review a lawsuit stemming from a 2014 data breach that compromised information for 1.1 million members. A D.C. appeals court previously ruled that members of the class-action lawsuit had sufficiently demonstrated the possibility of harm associated with the breach was substantial enough to bring claims against the insurer.

Phishing scams are frequently used by attackers to gain access to healthcare systems, and research shows unintended disclosures account for a large chunk of reported breaches. Earlier this year, a Florida agency that oversees the state’s Medicaid program said a phishing attack potentially impacted 30,000 individuals.  

Suggested Articles

Humana has filed suit against the Trump administration over cost-sharing reduction payments.

CMS needs to press Congress to be able to penalize hospitals that submit incorrect wage data, according to one of recommendations in an OIG report.

The Trump administration has launched a new alternative payment model to provide upfront investments to rural healthcare providers.