Updated CareFirst Statement on Anthem Cyberattack

Baltimore, MD (February 24, 2015) - On February 4, 2015, CareFirst BlueCross BlueShield (CareFirst) was made aware by Anthem, Inc. (like CareFirst, a Blue Cross Blue Shield company) of a very sophisticated external cyberattack. These attackers gained unauthorized access to Anthem’s IT system and obtained personal information from consumers who are current and former members of Anthem’s associated health plans, as well as information from consumers covered by other independent Blue Cross and Blue Shield plans working with Anthem, including CareFirst.

Since that time, CareFirst has been engaged with Anthem in the complex process of vetting the data and verifying the number and identity of those affected, and—importantly—the type of information involved.

Based on the information provided by Anthem, as many as 375,000 CareFirst members throughout the region were in some way impacted by this event. It is important to note, however, that in the vast majority of these cases, the information involved included name, date of birth, address, and health plan identification numbers. The investigation to date shows no credit card information, banking information or confidential health information was compromised.

The most potentially sensitive data included in the breached information is Social Security Numbers (SSNs). Based on the analysis and information provided by Anthem, less than two dozen CareFirst member SSNs were potentially included in the data breach. In addition to receiving a letter from Anthem, these members will also receive a letter directly from CareFirst encouraging them to take advantage of protections being offered by Anthem.

Any member receiving a letter from Anthem or CareFirst on this breach may enroll in the protections being offered by Anthem. Members can visit AnthemFacts to learn how to enroll. Due to the scope of the Anthem data breach, it will take a number of weeks for Anthem to mail letters to all impacted members. In the meantime, any member who thinks they may have been affected can also avail themselves of the protections being offered by and paid for by Anthem.

We will continue to provide updates on the Anthem cyberattack and its impact on CareFirst members as appropriate.

Why is CareFirst Member Information Affected by the Anthem Data Breach?

Thirty-seven independent companies—including CareFirst BlueCross BlueShield—operate in various locations across the United States and Puerto Rico to form the Blue Cross and Blue Shield network. This network allows Blue Cross and Blue Shield members to receive the same health insurance benefits for medical care while living or traveling within the coverage areas of any other Blue Cross Blue Shield company.

When members seek care in these instances, the medical claim is sent on the member’s behalf from the Blue Cross Blue Shield company that received it to the local Blue Cross Blue Shield company. Therefore, if a current or former CareFirst member received care in any of the Anthem locations (listed below) within the past ten years, that claims experience and associated member information may have been retained in Anthem’s database.

Anthem states include all or portions of: California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia, or Wisconsin.