After Failing to Avert Data Breach Lawsuit, CareFirst Gets Hacked Again

Lightning can strike the same spot twice. Just ask CareFirst BlueCross BlueShield, who suffered a data breach last month, mere weeks after the health insurer fell short of convincing the United States Supreme Court to quash a case stemming from a much larger privacy incident.

In the latest breach, a phishing attack might have exposed the information of roughly 6800 CareFirst members, according to an announcement from the company. Hackers gained access to the personal data through a compromised email account belonging to a CareFirst employee, the company noted.

The bad actors could have obtained names, member identification numbers, birth dates, and a total of 8 social security numbers, according to CareFirst. But the hackers were unable to tap medical or financial data.

CareFirst learned of the intrusion on March 12, finding that the hacked email account “was used to send spam messages to an email list of individuals not associated with CareFirst,” according to the organization.

Since then, the company’s information security team and a third-party firm have performed a forensic analysis on the phishing attempt and spam messages sent through the email account, according to CareFirst. The digital privacy experts reset the busted email account and also analyzed CareFirst’s systems.

“There was no evidence of malware in the phishing email or spam, and no other suspicious activity was detected within CareFirst’s systems,” the company added. Further, it claimed that “the information accessible in the email account would be of limited use to an attacker and there is no evidence that CareFirst member information has been improperly used.”

Even so, the health insurance group is offering credit monitoring and identity theft protection services for the 6800 affected customers, for 2 years, at no cost. CareFirst intends to contact each of those individuals with the proposal.

News that an employee opened the door to the data breach is not surprising. Healthcare’s greatest cybersecurity threat comes from in house, either from malicious actors or, as in this case, people who made a mistake, according to one industry analysis. The study found that 78% of healthcare employees lacked some level of knowledge that could help them ward off privacy attacks.

In situations like the CareFirst breach, blame sometimes trickles upward to the institution. But CareFirst praised its data security training efforts.

“CareFirst has a comprehensive information security program, and employees must annually complete mandatory information security training,” the insurer said. “CareFirst conducts an ongoing security awareness program for employees through which employees are educated about cyberattack tactics about which they must remain vigilant.”

This, of course, isn’t the first data breach to bite CareFirst, and it isn’t the largest. A 2014 incident that potentially exposed more than 1 million patients spawned a class-action lawsuit, which CareFirst unsuccessfully attempted to block by petitioning the United States Supreme Court.

Get the best insights in healthcare analytics directly to your inbox.

Related

The MyFitnessPal Data Breach Must Resonate Beyond Its Userbase

Listen to Our Podcast, Data Book: Who Is the Dark Overlord?

Supreme Court Punts on CareFirst Data Breach Lawsuit