As many as 1.1 million Washington D.C. BlueCross BlueShield members may have had their information accessed in a cyberbreach that occurred in June of 2014.

CareFirst BlueCross BlueShield announced Wednesday it had been the target of a “sophisticated cyberattack,” the company said in a release.

The attackers could have potentially acquired members’ names, birth dates, email addresses and subscriber identification numbers.

However, CareFirst said its user names must be used in conjunction with a member-created password to gain access to underlying member data on the website.

The database that was breached did not include these passwords, which were encrypted and stored in a separate system as a safeguard against such attacks.

That means the attackers did not have access to member Social Security numbers, medical claims, employment, credit card, or financial information, CareFirst said.

The company is blocking member access to the accounts that might have been compromised and is asking members to create new user names and passwords for them.

All affected users will be sent letters granting them two years of free credit monitoring and identity theft protection, the company said in a statement posted on its site.

The attack came to light when CareFirst hired Mandiant, the cyber forensics unit of computer security company FireEye, to review its security in the wake of recent cyber attacks on other health insurers.

“The intrusion was orchestrated by a sophisticated threat actor that we have seen specifically target the healthcare industry over the past year,” said Charles Carmakal, managing director of Mandiant.

Read or Share this story: