Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
CareFirst BlueCross BlueShield Hacked
Insurer Says Intrusion Resulted in Breach Impacting 1.1 MillionFor the third time in recent months, a Blue Cross or Blue Shield company has revealed that it's been hacked. Baltimore-based CareFirst BlueCross BlueShield disclosed on May 20 that an "unauthorized intrusion" into a database dating back to June 2014 resulted in a breach affecting 1.1 million individuals.
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
Other Blues plans that have recently reported cyber-attacks are Anthem Inc., which says its breach impacted 78.8 million individuals, and Premera Blue Cross, which says 11 million were affected by its hacking incident.
Mandiant, a cyberforensics unit of security vendor FireEye, discovered the attack on CareFirst in April. In a statement, Mandiant managing director Charles Carmakal tells Information Security Media Group that "in light of recent breaches in the healthcare industry ... Mandiant was asked to conduct a proactive examination of CareFirst's environment. As part of the examination, in April of this year, Mandiant identified evidence of an intrusion that resulted in the unauthorized access of CareFirst database in June 2014."
The attack appears related to other recent attacks in the healthcare sector, Carmakal says. "The intrusion was orchestrated by a sophisticated threat actor that we have seen specifically target the healthcare industry over the past year," he says, declining to provide further details.
In a statement on its website, CareFirst said it first learned of the attack on April 21, 2015, when the review of CareFirst's systems was not yet complete. "This was when Mandiant discovered that a cyber-attack occurred and likely resulted in a limited unauthorized access to a database," the statement notes. "It was necessary to complete the comprehensive forensic information technology review of all of CareFirst's systems to understand the nature of the attack, the information potentially accessed and the members who were affected. In addition, the comprehensive review was necessary to determine that there was no evidence of any prior or ongoing attacks and to take steps necessary to ensure the integrity of the system."
Mandiant's Carmakal adds: "CareFirst continues to implement security enhancements to better protect their environment against advanced attacks. Mandiant will continue to monitor CareFirst network environment for future attacker activity."
Compromised Data
In the statement on its website, CareFirst says the attackers gained "limited, unauthorized access to a single CareFirst database." The incident was discovered as a part of the company's ongoing IT security efforts in the wake of recent cyberattacks on health insurers, it acknowledges.
The Mandiant review of CareFirst's environment determined that in June 2014, hackers gained access to a database in which CareFirst stores data that members and other individuals enter to access CareFirst's websites and online services. Mandiant completed its review and found no indication of any other prior or subsequent attack or evidence that other personal information was accessed, the insurer said.
"Evidence suggests the attackers could have potentially acquired member-created user names created by individuals to access CareFirst's website, as well as members' names, birth dates, email addresses and subscriber identification number," CareFirst said.
"However, CareFirst user names must be used in conjunction with a member-created password to gain access to underlying member data through CareFirst's website. The database in question did not include these passwords because they are fully encrypted and stored in a separate system as a safeguard against such attacks. The database accessed by attackers contained no member Social Security numbers, medical claims, employment, credit card or financial information."
Nevertheless, CareFirst will be offering free credit monitoring and identity theft protection for those affected for two years.
Approximately 1.1 million current and former CareFirst members and individuals who do business with CareFirst online who registered to use CareFirst's websites prior to June 20, 2014, were affected by the breach, the company said. "Out of an abundance of caution, CareFirst has blocked member access to these accounts and will request that members create new user names and passwords," the company says.
CareFirst reported the attack to the FBI and is cooperating with the investigation, the company says.
In addition to the hacking attacks this year on Anthem and Premera Blue Cross, healthcare provider Community Health System was the victim of a hacking attack last August, which resulted in a breach affecting 4.5 million individuals.