HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

CareFirst BCBS Reveals 1.1 Million-Record Cyberattack

CareFirst BCBS Security Audit Reveals 1.1 Million-Record Cyberattack

CareFirst BlueCross BlueShield has discovered a cybercriminal infiltrated its computer network last year on what appears to be a single occasion. Protected data of approximately 1.1 million individuals has potentially been disclosed in the incident.

Following the two mega data breaches to hit health insurers this year – Anthem’s hack exposed 78.8 million-records and Premera’s 11 million – and the Community Health Systems 4.5 million record-breach last year, CareFirst BCBS decided to take a closer look at its own systems and check for suspicious activity.

The insurer used an external IT security company, Mandient, to conduct a thorough inspection of its computer network and database. That internal review uncovered a cyberattack had occurred in which the insurer’s cybersecurity defenses were shown to have been breached on June, 20, 2014.

No Healthcare Data or Social Security Numbers Exposed

The information accessed was contained in a single database, according to a breach notice posted on a website set up to CareFirst to provide answers to affected individuals. The hacker did not gain access to the entire network.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The most sensitive patient data – Social Security numbers, financial information & health data – was not compromised in the incident, although the hacker was potentially able to access, view, and copy: Patient names, birth dates, email addresses and subscriber identification number. Also accessible were the website user names of FirstCare members.

The latter is potentially the most serious, as user accounts can be used to access a much wider range of data. These usernames are generated by CareFirst members, but in order for them to be used, a password must also be entered. Passwords were not stored in the accessed database.

When Mandient reported the security breach, CareFirst blocked all member accounts and enforced a change to both username and password in order prevent unauthorized access to online accounts.

The individuals affected are those who registered online on the CareFirst website prior to June 20, 2014. In accordance with the HIPAA Breach Notification Rule, all affected individuals will be receiving a notification letter in the post explaining the breach and the data that has been exposed.

CareFirst BlueCross BlueShield will be offering 2-years of free credit monitoring and identity theft protection services to all 1.1 million members affected by the breach

Time to Look Closely at Access Logs

The two mega data breaches to hit health insurers may trigger a wave of breach reports as companies take a closer look at their own networks and check for unauthorized access to data. They may discover that hackers have broken through defenses and have been inside computer networks for some time. When the data breaches were discovered by Anthem and Premera, the insurers found that cybercriminals had first gained access to its systems many months previously.

Data breaches such as this should serve as a reminder that cybercriminals are able to break through cybersecurity defenses undetected. It is therefore essential that healthcare providers, insurers and other holders of sensitive data regularly conduct internal audits for security breaches. It may not always be possible to prevent a successful cyberattack, but it is possible to severely limit the damage caused.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.