CareFirst BlueCross BlueShield, one of the largest regional health insurers in the U.S., has confirmed a major security breach which is thought to have affected as many as 1.1 million customers.
The Washington D.C.-based firm announced yesterday that the hack had taken place in June last year. CareFirst said that the breach had been a “sophisticated cyberattack” and that those behind the crime had accessed and potentially stolen sensitive customer data including names, dates of birth, email addresses and ID numbers.
However the health insurance group did assure that usernames must be used in tandem with a password created by the members themselves to gain access to the personal account data stored on the website.
The affected database did not contain these unique member passwords, which the company encrypts and stores in an isolated system as a protection mechanism against such cyber threats.
Without the passwords the hackers would not have been able to reach sensitive information such as customers’ Social Security numbers, medical claims, employment details, credit card data, or financial records, CareFirst confirmed.
The group has said that it will block member access to accounts that they believe may have been breached, and is asking those with compromised logins to create new usernames and passwords.
All affected members will also receive letters of apology, offering two years of free credit monitoring and identity threat protection as compensation, CareFirst said in a statement posted on its website.
The attack was first discovered by Mandiant, the FireEye cyber-forensics branch, after the unit was hired by CareFirst as a security measure in the wake of a number of attacks on other health insurers such as Anthem, Premera and Community Health System.
“The intrusion was orchestrated by a sophisticated threat actor that we have seen specifically target the health care industry over the past year,” said Mandiant managing director Charles Carmakal.