On May 20, 2015, CareFirst BlueCross BlueShield (CareFirst) announced that the company has been the target of a sophisticated cyberattack.
The attackers gained limited, unauthorized access to a single CareFirst database. This was discovered as a part of the company’s ongoing Information Technology (IT) security efforts in the wake of recent cyberattacks on health insurers. CareFirst engaged Mandiant – one of the world’s leading cybersecurity firms – to conduct an end-to-end examination of its IT environment. This review included multiple, comprehensive scans of the CareFirst’s IT systems for any evidence of a cyberattack.
The review determined that in June 2014 cyberattackers gained access to a single database in which CareFirst stores data that members and other individuals enter to access CareFirst’s websites and online services. Mandiant completed its review and found no indication of any other prior or subsequent attack or evidence that other personal information was accessed.
Evidence suggests the attackers could have potentially acquired member-created user names created by individuals to access CareFirst’s website, as well as members’ names, birth dates, email addresses and subscriber identification number.
However, CareFirst user names must be used in conjunction with a member-created password to gain access to underlying member data through CareFirst’s website. The database in question did not include these passwords because they are fully encrypted and stored in a separate system as a safeguard against such attacks. The database accessed by attackers contained no member Social Security numbers, medical claims, employment, credit card, or financial information.
… Approximately 1.1 million current and former CareFirst members and individuals who do business with CareFirst online who registered to use CareFirst’s websites prior to June 20, 2014 are affected by this event. All affected members will receive a letter from CareFirst offering two free years of credit monitoring and identity theft protection. The letters will contain an activation code and you must have the letter to enroll in the offered protections. Out of an abundance of caution, CareFirst has blocked member access to these accounts and will request that members create new user names and passwords.
CareFirst did detect the initial attack and took immediate action to contain the attack. At the time CareFirst believed that we had contained the attack and prevented any actual access to member information. The evidence that data was accessed was found as part of a comprehensive assessment conducted as part of CareFirst’s ongoing information security efforts in the wake of cyberattacks on other health care companies.
The Sixth Circuit handed down a new decision on computer search and seizure that may be the next computer search issue to make it to the Supreme Court. The issue: How does the private search reconstruction doctrine apply to computers? The new decision creates an apparent circuit split with the Fifth and Seventh Circuits.
Read more on The Volokh Conspiracy.
[From the article: