A "sophisticated cyberattack" has compromised personal information of about 1.1 million customers of CareFirst BlueCross BlueShield, the region's largest health insurer, the company said Wednesday.
Attackers gained access to names, birth dates, email addresses and insurance identification numbers, CareFirst officials said. The database did not include Social Security or credit card numbers, passwords or medical information.
It is the third major cyberattack on a U.S. health insurer this year, coming as hackers increasingly target health care and insurance organizations for medical-related data, which can be sold for large sums on secret online marketplaces. Recent attacks on insurers Anthem and Premera Blue Cross affected tens of millions of people across the country, including some CareFirst customers.
Cybersecurity and privacy experts said that while the CareFirst attack poses less of a risk than data breaches involving more sensitive data, such as financial account information or Social Security numbers, it still exposes enough to put consumers at risk in so-called "phishing" attempts or other fraud.
CareFirst is offering credit monitoring and identity theft protection services for two years, even though the breach did not expose financial data. CEO Chet Burrell said officials "deeply regret the concern this attack may cause."
"Please understand we are constantly investing in security of your data," he said in a video on the insurer's website.
CareFirst has 3.2 million members, including 2 million in Maryland.
The attack occurred in June 2014, two months after the insurer detected an attack that it believed it had contained. But the hackers had left behind hidden back doors that let them re-enter later, undetected.
The data breach was not exposed until last month when CareFirst hired security contractor Mandiant to conduct what it called "a comprehensive, proactive assessment" of information security systems in light of attacks on insurers such as Anthem and Premera. Mandiant detected the evidence April 21 that the data breach had occurred and spent the past month completing its investigation.
Hackers accessed a single database containing data that members and other individuals use to access CareFirst's websites and online services, officials said. Current and former CareFirst customers who created profiles on the insurer's website before June 20, 2014, are affected.
In other recent attacks on insurers, hackers gained access to the Social Security numbers of 79 million Anthem customers and the Social Security numbers and bank account information of 11 million Premera customers. The Anthem breach affected 375,000 CareFirst customers, officials said. The number of Carefirst customers affected in the Premera breach was not available Wednesday, officials said.
It was not immediately clear whether the CareFirst breach was related or similar to those attacks. A CareFirst spokesman referred questions about the nature and origin of the hacking to the FBI.
FBI spokeswoman Amy Thoreson confirmed that the agency is investigating the attack and working with CareFirst "to determine the nature and scope of this incident."
"Similar to other recent intrusions, this incident underscores the importance of rapidly notifying law enforcement once a breach has been detected, as doing so allows the FBI to quickly deploy our cyber experts to preserve evidence and work with incident responders to help recover their networks," she said in a statement. "Cybercrime remains a significant threat, and the FBI will continue to devote substantial resources and efforts to bringing cyber criminals to justice."
The main risk to those affected could be what is known as "spear phishing," when criminals use personal data to make fraudulent emails more credible, said Beth Givens, executive director of the Privacy Rights Clearinghouse, a San Diego-based consumer advocate. For example, a phishing email could contain a person's name, insurance ID number and birth date, appearing to come from CareFirst but actually coming from criminals seeking other valuable personal data.
"They've got enough information about the individual to concoct a very credible story," Givens said.
The information also could be sold on what is known as the dark web, parts of the Internet that cannot be found by search engines, and combined with other data, said Richard Forno, director of the University of Maryland, Baltimore County's graduate cybersecurity program.
"The information they got may or may not be useful directly, but it could help a bad guy get more clues about a person's identity," he said. "That could be useful to an adversary."
The Morning Sun
In many cases, data breaches can be larger than originally apparent, Forno added.
"As time goes on and the investigation continues, you never know if you'll find other leads that may change your initial assumptions," he said.
CareFirst spokesman Michael Sullivan said Mandiant made scans of the insurer's servers for "all kinds" of evidence of cyberattack.
"This was comprehensive," Sullivan said. "This was the only thing they found."
CareFirst is posting more information about the cyberattack at carefirstanswers.com.