CareFirst BlueCross BlueShield publicly revealed on May 20 that it was the victim of a data breach that may have exposed the personal information of up to 1.1 million Americans.
The CareFirst breach is the third major Blue Cross Blue Shield health care breach disclosed this year, after Anthem (affecting 80 million customers) and Premera (with an impact on up to 11 million people) earlier this year.
CareFirst began to examine its systems after the Anthem breach disclosure in February and engaged with FireEye's Mandiant incident response division, which determined that the CareFirst breach occurred in June 2014.
Mandiant's analysis shows that attackers gained access to a single CareFirst database. CareFirst noted that the information gained in the breach may have included member names, birth dates, email addresses and subscriber identification numbers. Additionally, CareFirst warned that the attackers may have acquired member-created user names for accessing CareFirst's Website.
"CareFirst user names must be used in conjunction with a member-created password to gain access to underlying member data through CareFirst's Website," CareFirst stated. "The database in question did not include these passwords because they are fully encrypted and stored in a separate system as a safeguard against such attacks."
However, CareFirst emphasized that financial information and medical claims information was not part of the database that attackers breached.
"Even though the information in question would be of limited use to an attacker, we want to protect our members from any potential use of their information and will be offering free credit monitoring and identity theft protection for those affected for two years," CareFirst President and CEO Chet Burrell said in a statement.
CareFirst is also urging affected members to reset the usernames and passwords for their accounts.
The National Consumers League (NCL) is warning consumers to be wary of phishing attacks in the wake of the CareFirst breach.
"While the breach does not appear to have compromised sensitive information, such as Social Security numbers, passwords or medical information, cyber-crooks are no doubt busy using the information they did collect to craft convincing-looking phishing emails," John Breyault, vice president of public policy, telecommunications and fraud at NCL, said in a statement.
Breyault added that the phishing emails could include the CareFirst logo and look just like the real thing and may contain links or attachments that install malware or direct consumers to Websites designed to steal other information that can be used to commit identity theft or other kinds of fraud.
Unisys Chief Information Security Officer Dave Frymier warned that a breach of a health care provider like CareFirst can create life-or-death issues for consumers. "If stolen health records are used to obtain care by a criminal, fraudulently purchased medical procedures are listed on the records of people who did not have the procedures," Frymier stated in an email to eWEEK. "That can create critical medical issues in the future."
Frymier is also critical of CareFirst. Organizations seem only to invest in cyber-security after they are attacked, he said, while few seem willing to invest to prevent the attacks in the first place.
Eric Cowperthwaite, vice president of advanced security and strategy at Core Security, also criticized how the health insurance industry is managing security. Cowperthwaite, who was chief information security officer at Providence Health and Services from 2006 to 2013, said that in the Anthem attack as well as the one against CareFirst, the length of time the attacker was in the companies' networks before they knew about it was quite long.
"This is very troubling. If you can't prevent an attack and you can't detect an attack, you have a very big problem," Cowperthwaite stated in email to eWEEK. "The health care industry must wake up and realize that they are subject to the same threats the financial services industry faces."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.