At least 1.1 million records of members of a Maryland and Washington, D.C., health insurance company may have been exposed in a security breach in June 2014. In a press release sent out Wednesday, CareFirst BlueCross BlueShield announced that it had been the target of a “sophisticated cyberattack.” The breach involved only one CareFirst database. The attackers may have accessed member names, usernames, birth dates, email addresses and subscriber numbers, but the database didn't include account passwords, which are encrypted and stored in a separate system, according to the company.
“We deeply regret the concern this attack may cause,” said CareFirst President and CEO Chet Burrell in the release. “We are making sure those affected understand the extent of the attack -- and what information was and was not affected.”
The database accessed did not have any additional member data such as Social Security numbers, medical claims, employment, credit card and financial information.
According to the company, the current and former CareFirst members affected by the attack were registered prior to June 20. Access to those accounts has been blocked as a security precaution and members will be required to create new usernames and passwords.
CareFirst has set up a website with more information about the attack and is offering two free years of credit monitoring to customers affected by the attack.
The health insurance company was made aware of the breach after an audit of its IT infrastructure was performed by cybersecurity firm Mandiant.
CareFirst is one of the latest health insurance companies to be targeted by cyberattacks over the past year. In February, Anthem Inc. suffered a similar breach, where hackers made off with tens of millions of Social Security numbers, birth dates, addresses and names from a database that contained the information of more than 80 million members.