Two CareFirst BlueCross BlueShield customers have filed a proposed class action suit against the Maryland health insurer after a cyberattack exposed about 1.1 million current and former members' personal information.
The suit alleges that CareFirst, the region's largest health insurer, failed to protect their data after the company became aware of security weaknesses during an attempted hack last year. The attackers, who left behind hidden back doors that let them later re-enter undetected, gained access to names, birth dates, email addresses and insurance identification numbers during a breach in June 2014 CareFirst officials said when they disclosed the hack in May.
The damages arising from the incident exceed $5 million, according to the lawsuit filed Aug. 6 in U.S. District Court, which accuses CareFirst of negligence and failing to notify customers in a timely fashion. The two plaintiffs include a Maryland resident who received the insurance through her job with the state.
A CareFirst spokesman declined to comment on pending litigation. When it disclosed the breach, the Owings Mills firm said it would give affected customers two years of credit monitoring and identity theft protection services.
CareFirst said at the time that no Social Security numbers, medical claims information and financial information were put at risk during the attack, which involved a single database with information members and others use to access CareFirst's websites and online services. It affected people who created profiles before June 20, 2014.
The attack was the third major breach of a U.S. health insurer reported this year, coming as hackers increasingly target health care and insurance organizations for medical-related data, which can be sold for large sums on secret online marketplaces.
Recent attacks on insurers Anthem and Premera Blue Cross also affected millions of people across the country, including some CareFirst customers.