A cyberattack on CareFirst BlueCross BlueShield in Maryland has potentially compromised the data of 6,800 users.
The attack, which occurred on March 12 but was revealed in a news release by CareFirst on Friday, reportedly came as a result of a phishing email that was opened by an employee.
Phishing emails, like the one that targeted the Democratic National Committee during the 2016 election, use emails that appear to be from known companies, to trick recipients into entering personal data that can than be used to gain access to accounts. This phishing scam could have revealed names, birthdays and member identification numbers of patients, WJZ-TV reports. In addition, the social security numbers of at least eight patients could have been stolen.
This is not the first data breach for CareFirst. In 2015, more than one million of its users had their data compromised after another cyberattack.
CareFirst BlueCross BlueShield is the largest health insurance provider in Maryland, and also supplies insurance to customers in Virginia and Washington D.C.
In its news release on Friday, CareFirst disclosed the nature of the attack:
“On March 12, CareFirst determined that an employee was the victim of a phishing email which compromised the employee’s email account. The compromised email account was used to send spam messages to an email list of individuals not associated with CareFirst. However, because the email account was compromised, the attackers gained access to the employee’s email and could have potentially accessed personal information of 6,800 CareFirst members, including names, member identification numbers, date of birth, and in limited cases (8 individuals) social security numbers. No medical or financial information was compromised.”
CareFirst insisted in the news release that there was "no evidence of malware," and that “the information accessible in the email account would be of limited use to an attacker and there is no evidence that CareFirst member information had been improperly used."
The company also said that it would offer “free credit monitoring and identity theft protection” to everyone affected by the cyberattack.
This comes only a week after the 911 dispatch system in Maryland was hit by a ransomware attack, shutting down part of the computerized system that helped locate 911 callers from the morning of March 25 through the morning of March 26.