Phishing Attack at CareFirst BCBS Affects 6,800 Members

April 7, 2018


A targeted phishing attack performed on CareFirst Blue Cross Blue Shield has led to the disclosure of 6,800 plan subscribers’ protected health data.

The attack was first found by CareFirst on March 12, 2018, leading to a complete check of their systems, which included a forensic study of the electronic mail system and CareFirst’s systems generally. Together with the internal inquiry by the CareFirst IT safety team, an external information safety company also studied the phishing attack.

The studies didn’t find any evidence to indicate electronic mails in the undermined account had been viewed by the attacker; nevertheless, the electronic mails in the account did contain some PHI and data access couldn’t be removed with a high level of certainty.

When access to the account was obtained, the attacker transmitted phishing electronic mails to people in a contact list. Those people were not affiliated with or working with CareFirst BCBS. The electronic mails were transmitted with the aim of gaining more login details. No malware was found.

Although 6,800 peoples have may have been affected by the occurrence, just 8 Social Security numbers were at risk. Other kinds of data that might have been accessed include members’ names, dates of birth, and member ID credentials. No fiscal data was at risk and neither any secret health information.

The probability of the information in the account to be used for identity theft and scam is minimal, but to make sure plan members are protected, all have been offered identity theft safety and credit checking facilities for 24 months for free.

CareFirst BCBS summarized in its breach notification that it is already compulsory for staff to undergo yearly safety consciousness training. All staff are trained on the hazards of cyberattacks, the kinds of attack used to gain access to confidential data, and told how they should remain strictly cautious for possible phishing efforts. Together with the official training sessions, CareFirst provides continuing safety consciousness training on an ongoing basis.