CareFirst Blue Cross Blue Shield is alerting 6,800 of its plan members that some of their protected health information has potentially been accessed by unauthorized individuals as a result of a successful phishing attack on one of its employees.
Phishing attacks are conducted to gain access to sensitive information such as email credentials. Those credentials are then used to access to sensitive data or conduct further attacks on an organization.
The CareFirst phishing attack was discovered on March 12, 2018. A single employee was fooled into disclosing email account credentials and the attackers used those credentials to access the email account and send spam emails to an email contact list. The recipients of those messages were not affiliated to CareFirst.
CareFirst’s security team conducted a full analysis of the email and a forensic analysis of its systems and a third-party cybersecurity company also assisted with the investigation into the attack. The analysis of the initial phishing message revealed no malware had been installed, and no malicious software was sent to any of the contacts in the email account.
The internal and third-party investigations did not uncover evidence to suggest any emails in the account were accessed, although the possibility could not be ruled out with total certainty. Many of the emails in the account contained the protected health information of members including names, dates of birth, and member ID numbers. No medical information or financial data were present in any of the emails in the account. CareFirst reports that out of the 6,800 members impacted, only 8 Social Security numbers were exposed.
Even though the risk of data being used for malicious purposes is low, out of an abundance of caution, all individuals impacted by the breach have been offered two years of complimentary credit monitoring and identity theft protection services.
The incident shows that even with security awareness training employees can still be fooled by phishing emails. CareFirst says it provides annual training sessions on information security for all employees. In addition, an ongoing security awareness program helps to maintain awareness of phishing and other security threats.