Maryland’s CareFirst BlueCross BlueShield recently acknowledged that a “sophisticated cyberattack” provided unidentified hackers with access to the personal information of approximately 1.1 million people who registered to use the company’s website prior to June 20, 2014.
According to the company, the attackers accessed a single CareFirst database in June 2014. “This was discovered as a part of the company’s ongoing Information Technology (IT) security efforts in the wake of recent cyberattacks on health insurers,” CareFirst said in a statement.
“CareFirst engaged Mandiant – one of the world’s leading cybersecurity firms – to conduct an end-to-end examination of its IT environment,” the company added. “This review included multiple, comprehensive scans of the CareFirst’s IT systems for any evidence of a cyberattack.”
The personal information potentially accessed includes names, user names, birthdates, e-mail addresses and subscriber identification numbers. “Mandiant completed its review and found no indication of any other prior or subsequent attack or evidence that other personal information was accessed,” the company stated.
The compromised database did not include passwords, the company noted, “because they are fully encrypted and stored in a separate system as a safeguard against such attacks.” The database also didn’t hold Social Security numbers, medical claims or financial information.
“We deeply regret the concern this attack may cause,” CareFirst president and CEO Chet Burrell said in a statement. “We are making sure those affected understand the extent of the attack – and what information was and was not affected. Even though the information in question would be of limited use to an attacker, we want to protect our members from any potential use of their information and will be offering free credit monitoring and identity theft protection for those affected for two years.”
All those affected are being offered two years of credit monitoring and identity theft protection services.
Netsurion CEO Kevin Watson told eSecurity Planet by email that while it’s good to hear that no medical or financial information was stolen, the data that was exposed is sufficient to make 1.1 million people prime targets for phishing scams. “This breach again calls into focus the reality that data security is not limited to the processing of payments and credit cards,” he said.
“Businesses of all kinds and across all industries, must act to protect sensitive information stored in their systems using ongoing efforts, not simple ‘fix it and forget it’ methods,” Watson added. “There needs to be a broad understanding that in order to be truly protected, enterprises must become proactive in securing network access, encrypting data and auditing security methods on a regular basis.”
And Suni Munshani, CEO of Protegrity, said the fact that no passwords were accessed won’t provide much comfort to those whose personal information has been exposed. “Credit card data used to be the hackers’ honeypot, but that black market has reached saturation point, and now it’s PHI and other private data hackers are going after as it carries a higher price tag and is invariably less well protected,” he said.
“These attacks will continue and become more prevalent and the only way to be sure that data is secure is to protect the data itself,” Munshani added. “Modern, data-centric security technologies protect data at rest, in transit and in use so businesses have no excuse.”
A recent study by the Ponemon Institute found that 91 percent of healthcare organizations have suffered at least one data breach in the past two years, and criminal attacks in the healthcare sector are up 125 percent since 2010.
“Cyber criminals recognize two critical facts of the healthcare industry: 1) healthcare organizations manage a treasure trove of financially lucrative personal information and 2) healthcare organizations do not have the resources, processes, and technologies to prevent and detect attacks and adequately protect patient data,” the Ponemon report stated.