For CareFirst BlueCross BlueShield, the road to hell was paved with good intentions. Recently, while making cybersecurity upgrades, the company discovered that it had actually already been breached—in June 2014.
1.1 million current and former customers were affected by the hack, and CareFirst has 3.4 million current customers. The company, which offers coverage in Washington D.C., Virginia, and Maryland, says that hackers compromised one of its databases and may have had access to user names, member IDs, legal names, birthdays, and email addresses. Medical records, credit card numbers, and social security numbers weren’t affected.
Cybersecurity consulting firm Mandiant did not find evidence of other breaches on the CareFirst network, according to the insurer. The company is forcing all affected users to set up new accounts (new user names and passwords) and is offering two free years of credit monitoring. The incident isn’t on the scale of the Anthem breach, disclosed in February, which affected 80 million customers, but it shows that even companies taking action to protect themselves may be behind the curve.