CareFirst Blue Cross BlueShield (CareFirst) announced on May 20, 2015 that the company was a victim of a cyberattack which has compromised personal information of about 1.1 million of their customers. The attackers gained limited, unauthorized access to a CareFirst database. The breach potentially exposed member-created user names, member names, birth dates, email addresses and subscriber identification numbers. The breach did not expose member-created passwords, which the company indicates are necessary to gain access to additional member data through CareFirst’s website.
CareFirst has engaged Mandiant, a leading cybersecurity firm, to conduct a full examination of the CareFirst IT environment.
Chet Burrell, CEO for CareFirst released a statement saying, “Cyberattacks on businesses have, regrettably, become all too common. We understand that news of a cyberattack on CareFirst is a cause of concern for our members and others with whom we do business. Maintaining the privacy and security of our members’ personal information is one of our highest priorities.”
Burell continued, “Limited personal information was involved in this attack – for instance, no member Social Security Numbers, medical claims information or financial information was put at risk. While this reduces the chance that your personal information will be used improperly, we are nonetheless offering our potentially affected members two years of free credit monitoring and identity theft protection services in order to ease your concerns about possible unauthorized use of your personal information.”
CareFirst is a not-for-profit, non-stock health services company offering a comprehensive portfolio of products and administrative services to 3.2 million individuals and groups in Maryland, the District of Columbia and portions of Northern Virginia. CareFirst is the parent company of CareFirst of Maryland, Inc., and Group Hospitalization and Medical Services, Inc.