Cyberattacks against health insurance companies continue, as an East Coast BlueCross BlueShield insurance company announced the latest in a long line of attacks against carriers.
CareFirst BlueCross BlueShield said Wednesday it had been attacked by hackers that compromised the personal information of about 1.1 million current and former customers in D.C., Maryland and Virginia.
The insurer said the attack occurred in June 2014. CareFirst’s cyber security team originally thought it had successfully fended off the attack, but a recent review showed that the attackers had gained access to such personal information as names, birth dates, e-mail addresses, subscriber identification numbers and customer-created usernames for the CareFirst website.
The information did not include Social Security numbers, medical claims, employment, credit card or financial information.
“We deeply regret the concern this attack may cause,” said CareFirst President and CEO Chet Burrell. “We are making sure those affected understand the extent of the attack – and what information was and was not affected.”
CareFirst is offering free credit monitoring and identity-theft protection services to those affected for two years, and the FBI is said to be investigating the cyberattack.
The company said it learned of the breach for the first time on April 21 during a review of its systems by the cybersecurity firm Mandiant. It did not disclose the breach immediately so that it could complete its own investigation of the breach.
The recent rash of breaches against insurance companies – particularly those in the health sector – isn’t going away any time soon. Dave Kennedy, founder of cybersecurity firm TrustedSEC, told the Washington Post the wealth of data kept by insurers is valuable to cyber-criminals looking to sell personal information to underground black markets for use in identity theft or medical fraud.
“There’s so much value in this information,” Kennedy said. “There are probably a whole lot of other places that are just now discovering they were breached.
“We’re probably going to see a lot more of these happening in the coming few months.”
The attack follows on the heels of those against Premera BlueCross BlueShield and Anthem, which together exposed the data of more than 100 million consumers.