Health insurer CareFirst reveals cyberattack affecting 1.1 million

20.05.2015
A large U.S. health insurer, CareFirst BlueCross BlueShield, has disclosed it fell victim to a cyberattack that affected about 1.1 million people.

The attack, which occurred in June last year, targeted a single database that contained information about CareFirst members and others who accessed its websites and services, the company said Monday.

The nonprofit has 3.4 million members, mostly around Maryland, Washington, D.C., and Northern Virginia.

"We were the subject of a cyberattack," a somber looking Chet Burrell, the company's CEO, says in a video posted to its website.

CareFirst said customer names, birth dates, user names, email addresses and subscriber ID numbers may have been stolen. The database did not contain Social Security numbers, medical claims or financial information, it said. And member passwords were encrypted and stored in a different system, CareFirst said.

The disclosure marks at least the third time this year that a large health insurance company has reported a data breach, and experts warn that medical records are increasingly sought by hackers.

Anthem, formerly known as Wellpoint, said in February that upwards of 78.4 million records were at risk after hackers accessed one of its databases. The breach exposed names, birth dates, Social Security numbers, addresses, phone numbers, email addresses and member IDs, as well as some employee records and income levels.

Five weeks after Anthem's disclosure, Premera Blue Cross said information including bank accounts and clinical data going back to 2002 may have been compromised in an attack that affected up to 11 million people.

Medical records are valuable for cybercriminals, who may use the information for fraud, or for more sophisticated purposes, such as nation-state spying.

Computer security experts have said the attacks against Anthem and Premera appeared to use similar tactics. In both cases, experts found evidence that the attackers set up domain names that slightly misspelled the company's names.

Those fake websites may have been used to spoof legitimate internal services offered by the companies in an attempt to steal login credentials that would yield access to their systems. CrowdStrike, which analyzes malware attacks, has said such tactics have been used by a suspected China-based group nicknamed Deep Panda.

CareFirst did not indicate who might behind its breach, but said the FBI was notified.

CareFirst's breach was uncovered last month by Mandiant, computer security company FireEye's investigative services breach. It was hired to scan CareFirst's systems in light of the attacks against other health insurers.

The company is offering two years of free credit monitoring to those affected, who will be notified by letter. Some online accounts have been blocked and members will be prompted to create new user names and passwords.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Jeremy Kirk