First it was Anthem, then Premera, and now another major Blues plan—CareFirst BlueCross BlueShield—has been hacked and 1.1 million members in Maryland, Virginia and the District of Columbia are affected.

“Limited personal information was involved in this attack—for instance, no member Social Security numbers, medical claims information or financial information was put at risk,” Chet Burrell, president and CEO at CareFirst, said in a message to members. “While this reduces the chance that your personal information will be used improperly, we are nonetheless offering our potentially affected members two years of free credit monitoring and identity theft protection services in order to ease your concerns about possible unauthorized use of your personal information.”

Attackers accessed a single database, discovered during ongoing security work being done in the wake of other attacks on insurers, according to the company. Access to the database occurred in June 2014 and there is no evidence of prior or subsequent attacks, based on examinations by cybersecurity firm Mandiant.

Compromised information includes member-created usernames for the CareFirst website, member names, dates of birth, email addresses and subscriber identification numbers. “However, CareFirst user names must be used in conjunction with a member-created password to gain access to underlying member data through CareFirst’s website,” according to the insurer. “The database in question did not include these passwords because they are fully encrypted and stored in a separate system as a safeguard against such attacks.”

Register or login for access to this item and much more

All Digital Insurance content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access