Here's what cyber criminals can do with data from 1.1 million CareFirst members

Baltimore Business Journal | 05.21.15

A cyberattack that affected more than 1 million CareFirst BlueCross BlueShield members did not compromise their most personal details, such as Social Security numbers, medical claims and credit card numbers. But that does not mean those members are in the clear.

Secondary personal information, such as the email addresses, birth dates and member ID numbers stolen from CareFirst, is often used to trick people into giving up more personal details or is sold on black markets to organizations that piece it together into clearer profiles of individuals, said Chad Carroll, vice president of information operations at Columbia cybersecurity firm Chiron Technology Services Inc.

"The data they claim to have exfiltrated, although it's not what you would consider critical, sensitive, identifying information, it's still valuable. It’s still useful," said Carroll, whose company specializes in prevention and early detection of cyberattacks.

CareFirst on Wednesday said a June 2014 attack compromised a database that stores information members use to create online accounts with the insurer. About 1.1 million members, former members and a small number of insurance brokers who registered with CareFirst before June 20, 2014, are affected.

CareFirst responded the right way, by offering free credit monitoring and sending personal notifications to affected customers, Carroll said. But members still need to be careful in the weeks and months ahead.

A common phishing scam is to send an email to customers notifying them of the breach and asking them to click a link in the email to confirm other details about their account. Their member ID number and birth date at the top of the letter adds legitimacy to the note that is designed to steal even more information.

Data breaches are becoming increasingly common, especially among health care companies, which collect lots of personal data that is valuable when sold on a black market. CareFirst is the third major health insurer to announce a breach this year. A breach at Anthem affected about 79 million people; hackers stole information on 11 million members from Premera Blue Cross.

Carroll warned that cyberattacks are not just for financial and health care companies. Anyone with an online presence can be a target, which is why it is important for companies to have a strong cyber security system that includes a human element - people who are specialized in thinking like cyber criminals and combating them. Companies also need to have a plan for handling a breach when it happens.

"If an adversary has enough money, enough time, enough resolution, they will get in," Carroll said.

By Sarah Gantz