1.1 Million Hit by Hack at CareFirst Blue Cross Blue Shield

CareFirst Blue Cross Blue Shield is the latest medical insurer casualty in the cyber-war with identity thieves and other crooks—that we know about, anyway. The company has issued a statement disclosing a data breach of one of its databases, which occurred in June 2014, and affects around 1.1 million CareFirst members.

This disclosure marks the third time a major health insurer has identified a data breach since the beginning of 2015, following Anthem and Premera.

The bad actors gained access to a database that holds login data for CareFirst’s websites and online services. Member-created user names, birth dates, email addresses and subscriber identification numbers were exposed; but, no member Social Security Numbers, medical claims information or financial information was put at risk. Also, passwords were not put at risk because they are fully encrypted and stored in a separate system as a safeguard.

“The attackers gained limited, unauthorized access to a single CareFirst database,” said CareFirst president and CEO Chet Burrell in disclosing the breach. “This was discovered as a part of the company’s ongoing IT security efforts in the wake of recent cyber-attacks on health insurers. CareFirst engaged Mandiant—one of the world’s leading cybersecurity firm—to conduct an end-to-end examination of its IT environment. This review included multiple, comprehensive scans of the CareFirst’s IT systems for any evidence of a cyberattack.”

According to Andy Hayter, security evangelist at G DATA, the good news is that the breach was discovered so quickly, thanks to the routine audit.

“Had CareFirst not taken the proactive step to engage in a forensic security audit this might not have been discovered for days, months or maybe years,” Hayter said in an email. “Further damage would have been catastrophic for the insurer and its customers. Without knowing the details it is hard to guess the point of entry of the hack but many such attacks can be prevented by practicing safe computing. This includes keeping your anti-virus software up-to-date, applying all operating system and application patches, and education, education, and more education of the users of the systems."

The hack is not surprising given the value that personal information has in the cyber-underground. And although the exposed information is limited, it should go without saying that having one’s medical information stolen could unlock the potential for significant medical fraud, and opens the door for phishing scams.

“If insurance plan information is stolen along with identity information, data thieves would have a good indicator on which identities hold a higher value, based on the value of the insurance plan,” pointed out said Kevin Watson, CEO at Netsurion, in an emailed comment. “If thieves focus on the individuals with the highest plan costs, these are likely to be people who are more established in their lives, have families, higher incomes and better credit, meaning their identities are worth even more on the black market.”

He noted that a phishing email to a victim would look something like this:

Dear Mr. Jones,

You may have heard that we had a security incident that involved the loss of electronic data.  For you to know that this is a legitimate e-mail from CareFirstBCBS, we are including your subscriber number: 123456.  Unfortunately, your information was compromised, and as a responsible health care provider, we are offering to protect your vital information for the next 5 years free of charge. We don't believe you have anything to worry about, but this is our way of protecting our clients.

Please visit the website below where you will enter all of your sensitive information such as your credit cards, social security number, checking accounts and other financial data that you want to protect.  We will monitor the activity on these accounts and let you know if anything bad is noted by hackers who want to steal your data.


And, certain demographics are more vulnerable to post-breach fraud than others, according to Ken Westin, senior security analyst at Tripwire.

“Elderly victims can be targets of extensive fraud because criminals can use this information to create deceptive campaigns using scare tactics and other methods designed to exploit the trust these consumers have in healthcare organizations in order to extract additional information and money from them,” he explained via email.

CareFirst said that it was offering free credit monitoring to those affected.

What’s Hot on Infosecurity Magazine?