CareFirst Reports Cyberattack Affecting Up to 1.1M Individuals
May 21, 2015 in News
CareFirst is the third major U.S. health insurer to disclose a breach this year (Goldstein/Abelson, New York Times, 5/20).
CareFirst said it learned of the incident on April 21 during a systems review by FireEye (Mathews/Yadron, Wall Street Journal, 5/20). The company waited to disclose the details to allow the investigation to be completed (Peterson, “The Switch,” Washington Post, 5/20).
The attack appears to have occurred on June 19, 2014, according to the Journal. CareFirst said that its cybersecurity team thought it had already fended off an initial attack in April 2014 (Wall Street Journal, 5/20). However, the recent review revealed that the attackers were able to access members’ information, including:
- Email addresses;
- Names; and
- Subscriber identification numbers.
The database that was attacked did not include:
- Employment information;
- Financial information;
- Medical claims; or
- Social Security numbers (“The Switch,” Washington Post, 5/20).
CareFirst said the incident could affect individuals who registered to use its websites prior to June 20, 2014 (Wall Street Journal, 5/20). CareFirst offers coverage to individuals in Maryland, Washington, D.C. and Virginia (“The Switch,” Washington Post, 5/20).
The company said it will cover the cost of two years of credit monitoring and identity theft protection for affected individuals (USA Today, 5/20).
The incident is under FBI investigation and the bureau “is working with the victim company in order to determine the nature and scope of this incident,” an FBI spokesperson said (“The Switch,” Washington Post, 5/20).
Ponemon Institute Chair Larry Ponemon said that cyberattacks against health insurers have escalated in recent years. He noted that the health care industry is especially vulnerable because it works with data that appeal to hackers seeking to steal consumers’ identities (New York Times, 5/20).
Meanwhile, some experts say that health insurers could mitigate some of the damages caused by data breaches by reducing the amount of time they retain individuals’ information.
For example, CynergisTek Founder Mac McMillan, said, “These breaches we’re seeing wouldn’t be near as large as they are if they weren’t holding on to so much data.” He added, “One of the overarching questions that needs to be asked is why are companies able to hold on to so much information on people they’re no longer serving?”
However, Mark Shelhart, senior manager for incident response and forensics at Sikich, said that companies hold on to customer data out of concern that it might have future value.
In addition, HIPAA requires that covered entities keep documentation required by the law for at least six years. States can require entities to hold information longer.
Katherine Keefe, head of British insurer Beazley’s global privacy breach response, said that sometimes companies are not aware that they are holding onto old information. She said, “They need to look at document retention and destruction policies and that of their vendors” (Rubenfire, Modern Healthcare, 5/20).