CareFirst now says cyberattack hit 1.1 million

CareFirst BlueCross BlueShield is the latest health insurer to be hit by a cyberattack, with information on approximately 1.1 million customers compromised.

The breach took place on June 19, 2014, and was detected by the company, which took action to contain the damage, believing no member information had been accessed.

It learned differently last month after retaining a security firm to access its information technology in the wake of attacks on other health insurers, CareFirst, which operates in Maryland, the District of Columbia and parts of Virginia, said Wednesday.

The security firm, Mandiant, on April 21, 2015, discovered the attack likely resulted in unauthorized access to a database that stores information that members and others use to gain access to the company's website.

Attackers potentially gained customer names, user names, birth dates, email addresses and subscriber identification numbers. The company doesn't believe attackers accessed member Social Security numbers, medical claims, employment, credit card or financial information.

Members who created online accounts at www.carefirst.com before June 20,2014, are potentially affected, while those who enrolled after aren't.

CareFirst will send a letter to those affected offering two years of free credit monitoring and ID theft protection services.

The company reported the attack to the FBI, which is investigating.

In March, health insurer Premera Blue Cross said hackers may have accessed personal information including Social Security numbers on as many as 11 million people. A month earlier, health insurer Anthem said its computer network had been hacked.