PHI of More than 200,000 Washington D.C. Health Plan Members Stolen by Hackers

CareFirst BlueCross BlueShield Community Health Plan District of Columbia (CHPDC) is alerting its members about a cyberattack in which their protected health information was stolen.

CHPDC, formerly called Trusted Health Plans, detected a breach of its computer systems on January 28, 2021. The Washington D.C-based health plan took immediate steps to isolate the affected computers and secure its network to prevent further unauthorized access and the cybersecurity firm CrowdStrike was hired to investigate the breach.

CrowdStrike confirmed that protected health information was exfiltrated by the attackers, who were most likely a foreign cybercriminal group. CHPDC said anyone who has been an enrollee of CHPDC has been affected, as well as current and former employees.

The types of data stolen included full names, addresses, telephone numbers, dates of birth, Social Security numbers, Medicaid numbers, medical information, claims information, and a limited amount of clinical information. The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 200,665 individuals.

CrowdStrike provide assistance in securing CHPDC systems and a series of steps were taken to enhance security to prevent similar breaches from occurring in the future. All passwords have been changed, CHPDC stopped operations that share information with business partners, and the Internet and dark web are being monitored for any signs of misuse of member data.

Since protected health information has been obtained by cybercriminals, affected individuals are being provided with complimentary identity theft protection and credit monitoring services for two years, which includes insurance and identity theft restoration services.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.