Phishing Attack at CareFirst BCBS Impacts 6,800 Members

by | Apr 5, 2018

A targeted phishing attack carried out on CareFirst Blue Cross Blue Shield has lead to the exposure of 6,800 plan subscriber’ protected health data.

The attack was first discovered by CareFirst on March 12, 2018, resulting in a complete review of their systems, which incorporated a forensic analysis of the email system and CareFirst’s systems in general. Along with the internal investigation by the CareFirst IT security team, an external information security firm also examined the phishing attack.

The analyses did not find any proof to suggest emails in the compromised account had been seen by the attacker; however, the emails in the account did include some protected health information and data access could not be eliminated with a high degree of certainty.

Once access to the account was obtained, the attacker sent phishing emails to people in a contact list. Those people were not working with or affiliated with CareFirst BCBS. The emails were broadcast with the aim of gaining further login details. No malware was detected.

While 6,800 peoples have may have been affected by the incident, only 8 Social Security numbers were at risk. Other types of data that could have been accessed include members’ names, dates of birth, and member ID credentials. No financial data was at risk and neither any private health information.

The possibility of the information in the account to be used for identity theft and fraud is minimal, but to ensure plan members are safeguarded, all have been offered identity theft protection and credit monitoring services for 24 months for free.

CareFirst BCBS outlined in its breach notice that it is already mandatory for staff to undergo annual security awareness training. All staff are trained on the dangers of cyberattacks, the types of attack used to gain access to sensitive data, and told how they must remain strictly vigilant for possible phishing attempts. Along with the formal training sessions, CareFirst provides ongoing security awareness training on an ongoing basis.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy