Please ensure Javascript is enabled for purposes of website accessibility
The Carefirst Building in Owings Mills. (file)

CareFirst hit by cyberattack

CareFirst BlueCross BlueShield said Wednesday it had been hit by a “sophisticated cyberattack” during which attackers gained limited access to one of the company’s databases in June 2014.

Chet Burrell, president and CEO of CareFirst. (File)

Chet Burrell, president and CEO of CareFirst. (File)

The names, birth dates, email addresses and subscriber identification numbers of about 1.1 million people — mostly CareFirst members, but also some brokers who sell CareFirst products — may have been compromised.

But the database that was hacked didn’t contain Social Security numbers, medical claims, employment information, credit card numbers or other financial data, according to a statement from CareFirst.

Current and former CareFirst members and individuals who registered to use CareFirst websites before June 20, 2014, were affected by the attack. CareFirst has blocked member access to these accounts and is asking members to create new user names and passwords, according to the company.

“We deeply regret the concern this attack may cause,” said Chet Burrell, CareFirst’s president and CEO, in a statement. “We are making sure those affected understand the extent of the attack — and what information was and was not affected. Even though the information in question would be of limited use to an attacker, we want to protect our members from any potential use of their information.”

CareFirst will offer free credit monitoring and identity theft protection to those affected by the attack for two years, Burrell said in a statement.

The company discovered the attack after contracting a cybersecurity firm, Mandiant, to review its operations in the wake of several recent cyberattacks on health insurers. Mandiant found some evidence of an attack in late April and confirmed that the database had been breached on May 15, according to CareFirst.

Mandiant did not find evidence of any successful previous or subsequent attacks, but Burrell said in a conference call with reporters Wednesday that the company endures millions of attempted cyberattacks every year, and that this is the only one known to have gotten past the company’s defenses.

The origin of the attack was unclear, but CareFirst reported the attack to the FBI, which is investigating, Burrell said.

The first indication of the breach came in April 2014, when CareFirst detected an attempted attack but believed it had been repelled after the affected part of the system was isolated. Company officials now believe the attackers left a “backdoor” into the system, allowing them to access the database on June 19, 2014.

CareFirst’s regular cybersecurity defenses will now include the more thorough scan used by Mandiant to detect the attack, according to CareFirst.

The attack on CareFirst is the latest in a series of cyberattacks that have struck businesses and institutions in Maryland.

In February 2014, the University of Maryland, College Park announced that an attack had compromised the personal information of more than 309,000 staffers, students and alumni.

In January, the WBOC television station on the Eastern Shore had its website and Twitter account hacked in by a group calling itself the CyberCaliphate, which posted pictures on the website that appeared to support the Islamic State.

Even attacks not focused in Maryland have taken their toll: a hack of the Sony Playstation game network in 2011 compromised the personal data of 630,000 Maryland residents, and 45 residents were affected by the hack on Sony Pictures Entertainment last year, according to the Maryland attorney general’s office.