Cybersecurity

Major DC insurance provider hacked by ‘foreign cybercriminals’

CareFirst BlueCross BlueShield’s Community Health Plan District of Columbia (CHPDC) suffered a data breach carried out by what it described as a “foreign cybercriminal” group in January that potentially impacted sensitive data, the company told customers this week.

The insurance provider notified customers in writing through a letter obtained by The Hill and through an online announcement on Monday.

The company wrote that the breach had taken place Jan. 28, and that the company had notified both the FBI and the Office of the Attorney General for the District of Columbia, and was working with cybersecurity group CrowdStrike in responding to the security incident. 

After analysis, CHPDC assessed the attack was likely carried out by a “sophisticated, foreign cybercriminal enterprise,” and that it was too early to say how many customers had been affected or what data was taken.

A written notification to customers went further, with the company noting that some of the stolen information may have included names, addresses, phone numbers, dates of birth, Medicaid identification numbers, and other medical information. 

CHPDC stressed that Social Security numbers were not compromised, and that it immediately called in experts from CrowdStrike to further protect personal information and understand how the hack successfully occurred. 

“We’ve taken immediate steps to limit the impact of the attack and protect and secure our systems and the information of our enrollees,” CEO George Aloth said in a statement provided to The Hill. “We’re angry and troubled that anyone would target our enrollees. We’re taking aggressive action on behalf of all those we serve to ensure they are supported and notified as more information becomes available.”

The company is offering free two-year credit and identity theft monitoring to all enrolled customers potentially impacted, and a website with more information on the breach. 

The breach is the third to hit CareFirst BlueCross BlueShield in the past six years, which overall serves around 3.4 million customers in Virginia, Maryland and Washington, D.C., and is one of the largest health insurance providers in the region. 

Around 1.1 million current and former enrollees had information compromised as part of a major breach in 2014 that was disclosed by the company in 2015. A second data breach took place in 2018, when almost 7,000 customers had information compromised as part of an email phishing attack.

The FBI and CrowdStrike did not respond to The Hill’s request for comment. Washington, D.C.’s Department of Health Care Finance, which partially funds the CHPDC, also did not respond to a request for comment. 

Cyberattacks against health care groups have multiplied over the past year in particular during the COVID-19 pandemic, with many groups seen as vulnerable targets by malicious cyber criminals. 

The FBI and the Cybersecurity and Infrastructure Security Agency put out an alert in October warning that hackers were stepping up attacks on hospitals and health care providers. 

Hospitals across the nation have seen services impacted by cyberattacks, while foreign hackers have also targeted researchers and medical professionals involved in COVID-19 treatment and research.