Skip to main content

CareFirst Data Breach: What You Should Do Now

CareFirst BlueCross BlueShield, a non-profit health-insurance company that covers Virginia, Maryland and the District of Columbia, announced yesterday (May 20) that information pertaining to 1.1 million of its customers had been compromised in a deliberate data breach.

"We think an unauthorized party gained access to some limited information about our members," CareFirst President and CEO Chet Burrell said in a video posted on carefirstanswers.com. "It looks like they gained access to some member names, dates of birth and email addresses, as well as users' IDs that individual members — you — set up when you registered on our website."

Burrell added that passwords were not compromised, nor were the attackers "able to see any of your underlying information about your medical claims, about your credit card information or Social Security number or any other information about you."

MORE: What to Do After a Data Breach

Independent security reporter Brian Krebs saw striking similarities between the CareFirst breach and two data breaches disclosed earlier this year at two other health-insurance companies, Premera Blue Cross and Anthem, which together affected about 90 million people.

In a blog posting this morning (May 21), Krebs noted that Web domain names mimicking those belonging to Premera, CareFirst and Anthem had been registered in China in April 2014, when the Anthem intrusion is thought to have begun, along with domain names mimicking those of an Anthem subsidiary, Empire BlueCross BlueShield.

All four companies belong to the Blue Cross Blue Shield Association (BCBSA), a nationwide network of 37 independent health-insurance providers that are each allocated certain territories, yet often handle each other's claims and share customer information. (The BSBSA also maintains links to seven Canadian Blue Cross regional companies.)

Interestingly, the CareFirst breach may have never been discovered had it not been for the increased awareness created by those earlier breaches.

"As part of CareFirst's ongoing information technology security efforts in the wake of recent cyberattacks on other health insurers, CareFirst engaged the services of Mandiant," a firm that specializes in scouring corporate databases for evidence of intrusion, said a FAQ posted on carefirstanswers.com. "On April 21, 2015, Mandiant discovered that a sophisticated cyberattack occurred that likely resulted in a limited unauthorized access to a database on June 19, 2014."

The FAQ said that the unauthorized access had been discovered at the time of intrusion, but added that no customer data was thought to have been compromised until Mandiant was brought in. It took a month for Mandiant to assess the scope of the damage, the FAQ said.

It may be small consolation to individuals impacted by the CareFirst breach, but they are at less immediate risk of identity theft than people hit by the Anthem and Premera breaches. That's because the latter two breaches involved Social Security numbers and mailing addresses, along with names and dates of birth -- four factors that are all you'd need to steal someone else's identity. The Premera breach also exposed bank-account information, placing those affected at dire risk of financial fraud and monetary theft as well.

By contrast, the most sensitive pieces of information exposed in the CareFirst breach were dates of birth, which even when matched with names are usually not enough to verify identity. The email addresses are useful to spammers and could be matched with commonly used passwords in blind attempts to break into online accounts. (Burrell said no CareFirst customer passwords were compromised.)

Nevertheless, CareFirst is notifying each affected person by mail and asking them to change their CareFirst password. The letters will contain information and activation codes enabling each individual to sign up with Experian's ProtectMyID identity-protection service for free for two years. Families with children 18 years old or younger will also be able to enroll for two free years of Experian's FamilySecure identity-protection service for minors.

MORE: Best Identity-Theft Protection Services

The company noted that it "will not contact members by email or make unsolicited phone calls to you about this attack. If you receive inquiries by phone, email or social media purporting to be related to this attack, they are not from CareFirst."

Well-publicized data breaches often generate phishing campaigns by criminals, who prey on fears of identity theft by sending out genuine-looking emails asking affected individuals to update their personal information online. Those who fall for the trick often become victims of identity theft.

Tom's Guide urges that every person affected by a data breach take whatever free credit-monitoring or identity-protection services are offered, even if the services offered aren't among the best available.

But if you are a customer of CareFirst, don't wait for the letter to arrive telling you whether you were affected by this data breach. Instead, contact each of the three main U.S. credit-reporting agencies -- Equifax, Experian and TransUnion -- and ask each to place a credit alert on your file.

Equifax can be reached at 1-888-766-0008 or at this website. Experian can be called at 1-888-397-3742, or a credit alert can be requested here. For TransUnion, the phone number is 1-800-680-7289, and here's the website.

A credit alert, which is free and can be renewed every 90 days, will notify you if anyone runs a credit report on you or tries to open any financial account in your name.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.