A targeted phishing attack carried out on CareFirst Blue Cross Blue Shield has lead to the exposure of 6,800 plan subscriber’ protected health data.
The attack was first discovered by CareFirst on March 12, 2018, resulting in a complete review of their systems, which incorporated a forensic analysis of the email system and CareFirst’s systems in general. Along with the internal investigation by the CareFirst IT security team, an external information security firm also examined the phishing attack.
The analyses did not find any proof to suggest emails in the compromised account had been seen by the attacker; however, the emails in the account did include some protected health information and data access could not be eliminated with a high degree of certainty.
Once access to the account was obtained, the attacker sent phishing emails to people in a contact list. Those people were not working with or affiliated with CareFirst BCBS. The emails were broadcast with the aim of gaining further login details. No malware was detected.
While 6,800 peoples have may have been affected by the incident, only 8 Social Security numbers were at risk. Other types of data that could have been accessed include members’ names, dates of birth, and member ID credentials. No financial data was at risk and neither any private health information.
The possibility of the information in the account to be used for identity theft and fraud is minimal, but to ensure plan members are safeguarded, all have been offered identity theft protection and credit monitoring services for 24 months for free.
CareFirst BCBS outlined in its breach notice that it is already mandatory for staff to undergo annual security awareness training. All staff are trained on the dangers of cyberattacks, the types of attack used to gain access to sensitive data, and told how they must remain strictly vigilant for possible phishing attempts. Along with the formal training sessions, CareFirst provides ongoing security awareness training on an ongoing basis.