Health insurer CareFirst BlueCross BlueShield, a company covering customers in Maryland, Virginia and the District of Columbia, has been hacked and over 1 million customers are caught in the fray. The sophisticated cyberattack gave bad actors unauthorized access to a CareFirst database.
About 1.1 million current and former CareFirst members and people who registered to use the company’s Web sites before June 20, 2014 are impacted. CareFirst is sending out letters to notify affected parties and has promised two years of free credit monitoring and identity theft protection.
“We deeply regret the concern this attack may cause,” said CareFirst President and CEO Chet Burrell (pictured). “We are making sure those affected understand the extent of the attack -- and what information was and was not affected. Even though the information in question would be of limited use to an attacker, we want to protect our members from any potential use of their information and will be offering free credit monitoring and identity theft protection for those affected for two years.”
Layers of Protection
The attack was discovered as a part of its ongoing information technology security efforts in the wake of recent cyberattacks on health insurers, according to the company. CareFirst engaged cybersecurity firm Mandiant to conduct an end-to-end examination of its IT environment.
The findings reveal cyberattackers gained access to a single database where CareFirst stores data that members and others enter to access CareFirst’s Web sites and online services. Mandiant’s findings suggests the attackers could have potentially acquired member-created user names to access CareFirst’s Web site, as well as members’ names, birth dates, e-mail addresses and subscriber identification number.
The good news is that Mandiant did not find evidence of any other attack before or after the June 2014 event or any evidence that other personal information was accessed.
Members may not ultimately fall victim to identity thieves, though, because the attacker still needs a password to gain access to the member data -- Social Security numbers, medical claims, employment, credit card, or financial information -- and the hacked database did not include the passwords. CareFirst stores the fully encrypted passwords in a separate system.
We asked Mark Bower, global director of product management at HP Security Voltage, for his thoughts on the breach. He told us health care entities are the new data gold mines for attackers.
“The data is lucrative, often unprotected, and useful for medical and identity fraud,” he said. “Unfortunately, many health care firms do not have modern data-centric protection in place to neutralize breach risks of these kinds of attacks and are therefore vulnerable to being plundered from advanced malware.”
One reason for this dilemma is the lack of regular enforcement of security standards like PCI DSS, Bower said. Indeed, approaches that simply meet minimum compliance regulations are clearly not sufficient. He said other industries, including banking, payment processing and retail, have learned all too painfully that being compliant means nothing when the attackers are already inside, stealing data from behind the quickly dissolving perimeter.
“It's time for the health care entities to shift gears to modern data security defenses and join their peers in other industries who've already learned how to mitigate these threats and neutralize their data from advanced attacks to protect valuable data assets, enable data-rich analytic insight without risk, and prosper as a result to the delight of their customers,” he added.
Step Up the Game
Gavin Reid, vice president of threat intelligence at cloud security firm Lancope, told us large scale attacks to hospital patient record databases, along with areas that are doing medical research, can be extremely valuable source data for pharmaceutical and other medical research.
“Some medical offices have unique patient records and histories spanning years that could never be recreated and have a huge research value,” he said. “Secondly the patient records themselves often have very complete personal identifying information sets that are easily used in the more common data theft scenarios. The last and increasingly common reason is where medical identity theft is used to create fraudulent insurance claims using a stolen identity.”
What can the industry do to stop it? Reid said the medical industry as a whole has to up its game in security maturity especially basics like patching, security controls and incident detection. But what can consumers do to protect themselves?
“Limit who has your personal data when possible -- share only with trusted providers that have a need to know,” Reid said. “Be vigilant if you ever come across a medical bill in your name that covers services you didn’t receive -- even if there is no associated bill or charge.”