Concerned by the string of recent cyber attacks against other healthcare providers–including Anthem, Premera, and Community Health Systems–CareFirst decided to take a look into its own system, the company explained in a notice on its website. CareFirst hired Mandiant to review its networks, which led to the discovery of an undetected intrusion in June 2014.
While no health records or Social Security numbers were compromised in the breach, attackers accessed a database containing names, birth dates, email addresses and subscriber ID numbers of CareFirst customers. Luckily, the passwords required to access member accounts were encrypted and stored separately.
CareFirst blocked all affected member accounts, and members will have to create new user names and passwords to log in. CareFirst is offering two free years of credit monitoring to the 1.1 million affected customers in Maryland, Washington D.C., and Virginia, the company said.
“We deeply regret the concern this attack may cause,” wrote CareFirst President and CEO Chet Burrell. “We are making sure those affected understand the extent of the attack – and what information was and was not affected.”
The CareFirst cyber attack is the third major healthcare breach announced this year alone–all of which were investigated by Mandiant. On March 17, Premera Blue Cross announced that 11 million customers’ medical and financial data had been breached in 2014. On February 13, Anthem announced that 80 million Social Security cards had been stolen in a breach that may have started in April 2014.
From big cyber attacks that make headlines to smaller breaches where just a few records are stolen, security incidents cost the healthcare sector $6 billion per year, according to a recent Ponemon Institute study. And for the first time, cyber attacks became the leading cause of data breaches this year.
“The root cause historically was around negligence, incompetence,–not necessarily around criminal activity,” explained Dr. Larry Ponemon, founder of the Ponemon Institute. “It changed this year for the first time. The number one root cause of a data breach is criminal activity–could be insider or external.”
Criminal attacks in the healthcare sector have risen 125% since 2010, driven by the value of the healthcare data and electronic health records in an industry that’s lagging behind when it comes to security.
“An electronic healthcare record on the black market is worth somewhere between $60 and $70 on the black market, compared to a Social Security number that’s worth 50 cents or a dollar,” explained Rick Kam, cofounder of ID Experts. “There’s a really significant difference in value on the black market.”