First it was
“Limited personal information was involved in this attack—for instance, no member Social Security numbers, medical claims information or financial information was put at risk,” Chet Burrell, president and CEO at CareFirst, said in a message to members. “While this reduces the chance that your personal information will be used improperly, we are nonetheless offering our potentially affected members two years of free credit monitoring and identity theft protection services in order to ease your concerns about possible unauthorized use of your personal information.”
Attackers accessed a single database, discovered during ongoing security work being done in the wake of other attacks on insurers, according to the company. Access to the database occurred in June 2014 and there is no evidence of prior or subsequent attacks, based on examinations by cybersecurity firm
Compromised information includes member-created usernames for the CareFirst website, member names, dates of birth, email addresses and subscriber identification numbers. “However, CareFirst user names must be used in conjunction with a member-created password to gain access to underlying member data through CareFirst’s website,” according to the insurer. “The database in question did not include these passwords because they are fully encrypted and stored in a separate system as a safeguard against such attacks.”