According to a Wall Street Journal report Washington, D.C.-based not-for-profit health insurer CareFirst BlueCross BlueShield announced Wednesday it had suffered a major data breach…last June!
The data breach was announced Wednesday, following cyber security firm FireEye completed review of the attack late last week.
Hackers targeted and gained access to the personal information including birth dates, names, email addresses and subscriber information of over one million of its customers.
“This breach provides further evidence that cyber security defenses in the healthcare industry are still one step behind sophisticated hackers. The first question to ask is: was the compromised database properly encrypted? Encryption is widely recognized as a best practice and it is vitally important for a company like CareFirst, which is handling sensitive patient information. Healthcare companies are prime targets for hackers,” Greg Kazmierczak, CTO of Wave Systems, told DC Inno.
CareFirst, along with Anthem Insurance and Primera BlueCross, becomes the third major health insurer this year to report a data breach. CareFirst has hired FireEye to investigate the breach and mitigate the damage.
“The intrusion was orchestrated by a sophisticated threat actor that we have seen specifically target the health-care industry over the past year,” FireEye said in a statement.
A representative of CareFirst stated that the compromised database “contained no member social Security numbers, medical claims, employment, credit card or financial information.” The insurer also stated that when they first detected the attempted attack last April, they believed they were successful in deflecting the infiltration.
But criticism of CareFirst has already begun. “Not only should the database have been encrypted, but access to the database should have been protected by 2-factor authentication. By having multiple identifying factors, it is dramatically harder for a hacker to gain entry into this type of database. While CareFirst stated that social security numbers and credit cards were not held in the database, access to names, birth dates, and email addresses can lay the groundwork for future intelligence gathering and cyber intrusions. Without strong encryption and access management, expect medical fraud and identity theft to run unchecked,” Kazmierczak said.
Breaking It Down
This is simply another sign of sloppy data handling by a major company. This should have never happened to CareFirst. But what do you expect when you have absolutely poor data security standards in the health care industry. Another sad fact is that the company experienced this data breach last year but is just announcing it now. Thats why we have to have a national data breach standard law and we need it now! CareFirst is trying to make its customer feel better by saying no information such as social security numbers, medical claims, employment, credit card or financial information was in the data base. So what! The information that was there is enough for a cyber criminal to use to hijack an email account, launch a phishing campaign, or even steal an identity. With the information they did get they can get the rest. As for black people who ask “what does that mean to me?” I just told you.
