A major cybersecurity breach has been discovered by CareFirst Blue Cross Blue Shield after an email account was compromised; the CareFirst BCBS cyberattack is reported to have affected 1.1 million health plan members.
CareFirst is the third healthcare insurance company to suffer a major data breach in the last few months. The first announcement came from Anthem Inc., in February, after it discovered it had suffered a data breach that exposed the records of 78.8 million individuals. Access to the data first taken place many months previously. Next was Premera Health which suffered a data breach that exposed 11 million records. Again the attack was historic, dating back some 10 months.
Now CareFirst has reported that its data breach first occurred on June 20, 2014, with the last known access taking place on January. The investigation determined that a single database was compromised in the attack and fortunately it was not used to store highly sensitive information such as credit card numbers, bank details, Social Security numbers and healthcare data.
CareFirst BCBS Cyberattack Exposes Usernames and PII
The data exposed was limited to patient names, email addresses, birth dates and subscriber identification number along with the usernames for the company’s website portal. There is a risk that the data could be used for criminal purposes, and the primary concern is the usernames.
No passwords were contained on the database, but by using the username along with combinations of the data, it may be possible for some passwords to be guessed or cracked.
As a result, credit monitoring services are being offered to the victims for a period of two years to mitigate any damage caused, and the CareFirst cyberattack has meant the company has been forced to reset usernames and passwords to prevent any unauthorized accessing of user accounts. Were the thieves to crack a password, they would have access to the full information entered by the patients into the portal.
All patients are in the process of being notified by post of the steps they must take to protect their identities. Patients will be required to create new user names and passwords to use the online system.
CareFirst BCBS Cyberattack Highlights Need for Proactivity
Security systems are not infallible. Employees are a weak link and some may be fooled into installing a virus or malware or divulging their login credentials. Many malicious programs mimic those released by well-known and well trusted organizations (phishing). What’s more, when access is gained by the criminals it can be difficult to identify.
For this reason, healthcare providers and insurers should schedule in regular security audits and scan all systems and devices for signs of intrusion and malicious software, and this should be scheduled to take place at least every 6 months.
It may not be possible to prevent a data breach, but when one occurs, it is essential to identify it promptly so that access to PHI and other sensitive data can be blocked and the damage minimized.