Major Insurer CareFirst Target of Cyberattack – 1.1M Records Compromised

BREAKING NEWS: FBI investigating suspected Chinese hack of over one million customer records from June 2014 at CareFirst.

CareFirst BlueCross BlueShield announced it has been the target of a major cyberattack which has compromised the records of 1.1M consumer records. The theft of patient data was discovered following a review, which was conducted after similar cyberattacks compromised patient information at Anthem and Premera earlier this year.

Anxious patients and customers must now wait to hear if there personal information has been stolen.

CareFirst’s website has announced the attack with a message on its website’s homepage, and is also offering 2 years of free credit monitoring and identity theft protection for affected members, however the theft occurred almost a year ago, but has only just been announced.

Affected consumers will be notified in writing by CareFirst:

CareFirst BlueCross BlueShield has been the target of a cyberattack
CareFirst BlueCross BlueShield has confirmed that cyber-attackers gained limited, unauthorized access to a CareFirst database. We understand that the security of your information is important and we are taking steps to protect members in light of this attack and moving forward.

We are offering two years of free credit monitoring and identity theft protection services for those members affected. If you have been affected, you will receive a letter from CareFirst.

The Federal Bureau of Investigation (FBI) is investigating the theft, which occurred on June 19, 2014 after an encrypted database was hacked. The stolen information is thought to include names, dates of birth, private email addresses and subscriber ID, however, it is also believed that no Social Security Numbers or passwords have been compromised.

Unconfirmed reports suggest Chinese hackers are behind the latest attack, which affects consumers in Washington DC, Maryland and Virginia.

The FBI announced the following advice for healthcare providers their Business Associates, and consumers:

Individuals contacted by the company should take steps to monitor and safeguard their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at ic3.gov,” the statement reads. “Similar to other recent intrusions, this incident underscores the importance of rapidly notifying law enforcement once a breach has been detected, as doing so allows the FBI to quickly deploy our cyber experts to preserve evidence and work with incident responders to help recover their networks. Cybercrime remains a significant threat and the FBI will continue to devote substantial resources and efforts to bringing cyber criminals to justice.

CareFirst Customers Affected by the Cyberattack

The hack affects CareFirst customers who created an online account before June 20,2014 at carefirst.com.

If you created an account on June 20, 2014 or after, you are thought not to have been affected by this breach.

Impact on CareFirst Post Patient Data Theft

There are several outstanding questions to be answered in this case.

Obviously, who carried out the attack in the first instance, and while the FBI is investigating we shall have to await their findings.

One major question is why was CareFirst’s cyber security not capable of preventing the theft?

I expect that the Department of Health and Human Services (HHS) will be conducting its own investigation into the circumstances, and in particular whether there are HIPAA violations.

Another question is why the theft took so long to detect?

Compromised information has by now been in the hands of the criminal community for almost a year, which means they have had plenty of time to use it for their own nefarious purposes.

Finally, is offering free identity theft protection really going to put their customers at ease, and what will the impact on CareFirst’s business be?

Underlining the Importance of Cyber Security and the Real Nature of the Threat to You

Ask yourself a simple question, do you want to be in the position of CareFirst President & CEO Chet Burrell who has issued this embarrassing statement:

“We deeply regret the concern this attack may cause,” CareFirst President and CEO Chet Burrell said in a statement. “We are making sure those affected understand the extent of the attack–and what information was and was not affected.”

Protecting your patient and business data is essential and it cannot be left to chance. HIPAA provides for severe civil and criminal penalties in the case of violations, and we shall need to wait and see if any occurred in this incident.

The impact on CareFirst brand and reputation with customers is clearly obvious – no-one wants to be put in this situation.

While we can now only await the results of pending investigations, you have the opportunity to now to ensure you are not only HIPAA compliant, but also protected in fact.

Remember HIPAA only provides for minimum standards – do you really want to do just enough to comply, or do you want to do all you can to make sure you’re not the one issuing an embarrassing apology and free identity theft protection to your patients and customers?

About Swift Systems – HIPAA IT Compliance & Security Specialist

Swift Systems is the leading provider of IT Managed Services for healthcare practices and their business associates. We are highly experienced in all forms of cyber security and ensuring HIPAA compliance. We also are highly skilled at performing penetration testing, security audits and formulating strategies which take your cyber security beyond what HIPAA demands.

Call us today for a free initial consultation.

Toll Free Sales Assistance: 877.SWIFT.S.I (877.794.3874)
Email: sales@swiftsystems.com

Let our Specialists take care of your IT Support