CareFirst BlueCross BlueShield is notifying more than one million individuals that their personal information could have been accessed by attackers who gained limited, unauthorized access to a single CareFirst database in June 2014.
“Approximately 1.1 million current and former CareFirst members and individuals who do business with CareFirst online who registered to use CareFirst's websites prior to June 20, 2014 are affected by this event,” according to an advisory posted to the website.
CareFirst had engaged Mandiant to conduct an end-to-end assessment of its IT environment and during the assessment, on April 21, the security firm found that access to the database could have been gained on June 19, 2014.
Evidence suggests that names, birth dates, email addresses and subscriber identification numbers, as well as usernames to access the CareFirst website, could have been acquired.
The advisory noted that usernames must be used with passwords in order to access member data through the website, and that those passwords are fully encrypted and stored in a separate system that was not affected. Additionally, Social Security numbers and medical claims, employment, credit card and financial information is not at risk.
Mandiant completed multiple reviews of CareFirst's IT systems and found no evidence that any additional attacks had occurred or personal information was accessed. All impacted individuals are being notified, asked to change their usernames and passwords, and offered two years of free credit monitoring and identity theft protection services.
CareFirst noted that it will not be contacting members by email, phone or social media.
Stay tuned to SCMagazine.com for continued coverage of the CareFirst breach as the story evolves.