CareFirst Data Breach

CareFirst, a Blue Cross Blue Shield plan, on Wednesday became the third major health insurer in the United States to disclose this year that hackers had breached its computer systems and potentially compromised some customer information.

Concerned by the string of recent cyber attacks against other healthcare providers–including Anthem, Premera, and Community Health Systems–CareFirst decided to take a look into its own system, the company explained in a notice on its website. CareFirst hired Mandiant to review its networks, which led to the discovery of an undetected intrusion in June 2014.

While no health records or Social Security numbers were compromised in the breach, attackers accessed a database containing names, birth dates, email addresses and subscriber ID numbers of CareFirst customers. Luckily, the passwords required to access member accounts were encrypted and stored separately.

“We deeply regret the concern this attack may cause,” wrote CareFirst President and CEO Chet Burrell. “We are making sure those affected understand the extent of the attack – and what information was and was not affected.”

Health-care providers and insurers hold troves of personal data on their customers, which may be useful to intelligence agencies. Much like America’s National Security Agency, China’s People’s Liberation Army is known to vacuum up as much data as possible on foreign targets—or even potential targets—and sort through it later, U.S. officials briefed on previous health-care breaches said.

The Blue Cross Blue Shield Association said that it and its member health plans “have taken strong steps to fortify protections for our customers.” It said it had no indication that Blue Cross and Blue Shield companies “are being specifically targeted” by hackers or that the insurers share “any common vulnerability” to attacks.