News Feature | June 4, 2015

CareFirst BlueCross Blue Shield Breach Exposes Data Of More Than 1 Million

Christine Kern

By Christine Kern, contributing writer

Preventing Internal Security Breaches

CEO says hacked data is useless without corresponding passwords.

CareFirst BlueCross BlueShield, a nonprofit insurer that serves Maryland, northern Virginia, and Washington, D.C., has announced it has been the target of a sophisticated cyberattack that exposed 1.1 million members when hackers gained limited, unauthorized access to a CareFirst database. CEO Chet Burrell was quick to assure the data acquired by the hackers is basically useless because the corresponding passwords for each username were housed in a separate, unaffected database.

The company statement read, “Limited personal information was involved in this attack – for instance, no member Social Security Numbers, medical claims information, or financial information was put at risk.”

CareFirst official said its user names must be used in conjunction with a member-created password to gain access to underlying member data on the website, and the passwords are encrypted and stored in a separate system as a safeguard against such attacks. CareFirst has also engaged Mandiant, a security firm, to manage the attack and assess the security of its IT systems. Mandiant was also the firm hired in the wake of the Anthem breach last year.

The company is still offering two years of free credit monitoring and identity theft protection services to those potentially affected by the breach.

“The intrusion was orchestrated by a sophisticated threat actor that we have seen specifically target the healthcare industry over the past year,” Charles Carmakal, managing director of Mandiant told USA Today.

The breach was discovered as part of ongoing IT security efforts that are part of increased vigilance against cyber threats in the industry. The review determined hackers accessed a single database on June 19, 2014, and retrieved members’ names, birthdates, email addresses and subscriber identification numbers. “We have constant monitoring going on, every second of every day, but the nature of this attack was sophisticated enough that we couldn't detect it,” Burrell said.

The location of the breach is also significant to those in the security community, since the healthcare company's members are primarily based in Northern Virginia, Maryland and Washington D.C., where there is a heavy concentration of government, military, and contractors. “Obviously, we know what's there,” Rick Holland with Forrester Research told USA Today.

Previous healthcare computer breaches possibly have originated in China, some speculate, including those at Anthem, Premera and Community Health System.