CareFirst Blue Cross and Blue Shield, a not-for-profit insurer serving Maryland, Washington and northern Virginia, said Wednesday that it was the target of a sophisticated cyberattack affecting 1.1 million individuals.
Hackers infiltrated a single database in June 2014 and may have been able to acquire member usernames, names, birth dates, e-mail addresses and subscriber identification numbers. That database did not include member-created passwords, nor did it include Social Security numbers, medical claims, employment information, credit card numbers or financial records, CareFirst said.
The hack was discovered by cybersecurity firm Mandiant, which was contracted to conduct an end-to-end examination of CareFirst's information technology environment in the wake of the major cyberattacks against Premera Blue Cross and Anthem. CareFirst is the third Blue Cross and Blue Shield insurer to acknowledge a cyberattack this year, following record-breaking hacks at Premera and Anthem, which affected 11 million people and 80 million people, respectively.
CareFirst had detected the initial attack and believed it had contained it and prevented access to member information, the company said on a website dedicated to information about the hack. The evidence that customer data had been exposed was discovered by Mandiant on April 21, 2015, when the cybersecurity firm's review was not yet complete.
"It was necessary to complete the comprehensive forensic information technology review of all of CareFirst's systems to understand the nature of the attack, the information potentially accessed, and the members who were affected," the company said. "In addition, the comprehensive review was necessary to determine that there was no evidence of any prior or ongoing attacks and to take steps necessary to ensure the integrity of the system."
Though CareFirst said the information would be of limited use to identity thieves, it will be providing free credit monitoring and identity theft protection to affected individuals for two years.
"We deeply regret the concern this attack may cause," CareFirst President and CEO Chet Burrell said. "We are making sure those affected understand the extent of the attack—and what information was and was not affected."
The attack affected current and former CareFirst members "and individuals who do business with CareFirst online who registered to use CareFirst's websites prior to June 20, 2014."