An unidentified group of hackers stole data from about 1.1 million current and former members of the health insurance company CareFirst BlueCross BlueShield in a breach last year, the company revealed on Wednesday.
The company disclosed the breach in an unusual way: with a website.
On the site, CareFirst admits that it was the target of a "sophisticated" cyberattack in June of last year, where the hackers "gained limited, unauthorized access to a single CareFirst database," potentially getting their hands on members' usernames as well as "names, birth dates, email addresses and subscriber identification number."
CareFirst president and CEO Chet Burrell sent a message to its customers in a video embedded on the site.
"We deeply regret the concern this attack may cause," Burrell said. "We are making sure those affected understand the extent of the attack—and what information was and was not affected. Even though the information in question would be of limited use to an attacker, we want to protect our members from any potential use of their information and will be offering free credit monitoring and identity theft protection for those affected for two years."
It's unclear who exactly was behind the attack, but the hackers are known to focus on healthcare data.
"The intrusion was orchestrated by a sophisticated threat actor."
"The intrusion was orchestrated by a sophisticated threat actor that we have seen specifically target the healthcare industry over the past year," Charles Carmakal, the managing director of Mandiant, the security firm that investigated the breach, said in an email to Motherboard.
It was Mandiant who found out about the attack, which had gone undetected until the firm was hired to review CareFirst's security in April. CareFirst contracted Mandiant's services after recent cyberattacks against health care companies, such as the one against Anthem.
"The healthcare industry must wake up and realize that they are subject to the same threats the financial services industry faces," Eric Cowperthwaite, vice president of advanced security and strategy at Core Security, told Motherboard.
CareFirst downplayed the severity of the breach, saying "no member Social Security numbers, medical claims information or financial information was put at risk." However, the company is offering two years of free credit monitoring and identity theft protections, and, "out of an abundance of caution," will force members who have registered before the breach to change their username and password.