It took a health insurance company almost a year to notify some 1.1 million of its members that their personal data had been swiped by hackers. What's more, the cyberattack wasn't even detected in-house. The Baltimore, Md.-based CareFirst BlueCross BlueShield health plan announced the cyberattack May 20, despite the attack occurring back in June 2014. According to a company news release, the cyberattack compromised the names, dates of birth, email addresses, member ID numbers and user names of 1.1 million members. The cyberattack went undetected by the health plan itself. Rather, as CareFirst Chief Executive Officer Chet Burrell described in a statement, outside cybersecurity firm Mandiant "was the firm that actually discovered the attack."
Only after the health plan brought in cybersecurity firm Mandiant to conduct end-to-end IT security testing in the wake of the Anthem and Premera attacks, did CareFirst discover cyberattacks had gained access to a single database that stores members' online services data. CareFirst officials described the breach as a "sophisticated cyberattack," but there are some security officials who question that general wording that was also used to describe the Anthem breach, which compromised the data of as many as 80 million. As Kevin Johnson, founder of security consulting firm Secure Ideas, told Healthcare IT News this February following the Anthem breach: From his experience working with insurance companies on their security together with his seven years working at Blue Cross in Florida, "sophisticated" is an inaccurate word choice when used to describe a cyberattack at an insurance company.
"I have never found an insurance company that required a sophisticated attacking incident," he said. "Period. "They have tons of systems. They have tons of tests," he said. "It's a huge conglomeration of stuff." As Ken Westin, security analyst at Tripwire, sees the CareFirst breach: "In general, healthcare organizations are not prepared for the level of sophistication associated with the attacks that will be coming at them. It's no surprise that several organizations have been targeted and compromised." Attackers look for system vulnerabilities, Westin continued, "vulnerabilities that are endemic within an industry through common tools, frameworks, data storage/sharing methods or business processes."