CareFirst Announces Cyberattack; Offers Protection for Affected Members

Baltimore, MD (May 20, 2015) - CareFirst BlueCross BlueShield (CareFirst) today announced that the company has been the target of a sophisticated cyberattack.

The attackers gained limited, unauthorized access to a single CareFirst database. This was discovered as a part of the company’s ongoing Information Technology (IT) security efforts in the wake of recent cyberattacks on health insurers. CareFirst engaged Mandiant – one of the world’s leading cybersecurity firms – to conduct an end-to-end examination of its IT environment. This review included multiple, comprehensive scans of the CareFirst’s IT systems for any evidence of a cyberattack.

Evidence suggests the attackers could have potentially acquired member user names created by individuals to use CareFirst’s website, as well as members’ names, birth dates, email addresses and subscriber identification number.

Mandiant determined that in June 2014 cyberattackers gained access to a single database in which CareFirst stores data that members and other individuals use to access CareFirst’s websites and online services. Mandiant completed its review and found no indication of any other prior or subsequent attack or evidence that other personal information was accessed.

CareFirst user names must be used in conjunction with a member-created password to gain access to underlying member data through CareFirst’s website. The database in question did not include these passwords because they are fully encrypted and stored in a separate system as a safeguard against such attacks. The database accessed by attackers contained no member Social Security numbers, medical claims, employment, credit card, or financial information.

“We deeply regret the concern this attack may cause,” said CareFirst President and CEO Chet Burrell. “We are making sure those affected understand the extent of the attack – and what information was and was not affected. Even though the information in question would be of limited use to an attacker, we want to protect our members from any potential use of their information and will be offering free credit monitoring and identity theft protection for those affected for two years.”

Approximately 1.1 million current and former CareFirst members and individuals who do business with CareFirst online who registered to use CareFirst’s websites prior to June 20, 2014, are affected by this event. Out of an abundance of caution, CareFirst has blocked member access to these accounts and will request that members create new user names and passwords.

More information about the cyberattack can be found at www.carefirstanswers.com.

About CareFirst BlueCross BlueShield
In its 78th year of service, CareFirst, an independent licensee of the Blue Cross and Blue Shield Association, is a not-for-profit health care company which, through its affiliates and subsidiaries, offers a comprehensive portfolio of health insurance products and administrative services to 3.4 million individuals and groups in Maryland, the District of Columbia and Northern Virginia. In 2014, CareFirst contributed nearly $55 million to more than 300 community programs designed to increase the accessibility, affordability, safety and quality of health care throughout its market areas. To learn more about CareFirst BlueCross BlueShield, visit our website at www.carefirst.com or follow us on Twitter.