Following a brute force attack on the Florida Blue online member portal, the protected health information (PHI) of approximately 30,063 Florida Blue (Blue Cross and Blue Shield of Florida) may have been accessed or downloaded by unauthorized individuals.
The attack, which began on June 8 2021, took place when unknown actors launched a brute force campaign which leveraged a massive database of user identifiers and matching passwords that was obtained via online sources in an attempt to gain access to the portal. Early indications are that the database was created thanks to data breaches at third party companies where username and password combinations had been stolen.
Florida Blue reports that some of those automated attempts were successful and the attacker gained access to information contained in online member accounts. This information typically included names, contact information, claims information, payment information, health insurance policy information, and other personal information.
Once the brute force attack was discovered Florida Blue moved quickly to block the IP addresses used by the cybercriminals. In addition to this, they have introduced new security processes to bolster the security of its web portal to block any more brute force attacks.
Any Florida Blue members that may have been impacted in the breach were sent notification letters on June 30, 2021, warning them to remain vigilant and to review their accounts for any indication of suspicious activity, such as unauthorized transactions.
To date, there has been no evidence uncovered to indicate that any PHI was stolen by the hackers. Hacking incidents like this show how important it is for companies to ensure that all passwords are created to be strong and unique. If there is a good password policy in place then a brute force will not be in a position to penetrate your online accounts.
As precaution measure impacted Florida Blue members have been offered the chance to avail of a free 2-year membership of Experian identity theft protection, detection, and resolution services to protect them from identity theft and fraud.