As part of CareFirst's ongoing information technology (IT) security efforts in the wake of recent cyberattacks on other health insurers, CareFirst engaged the services of Mandiant, one of the world's leading cybersecurity firms, to conduct an end-to-end assessment of its IT environment. This assessment included multiple, comprehensive scans of our IT systems and related devices for evidence of any cyberattack.
Partway through this assessment, on April 21, 2015, Mandiant discovered that a sophisticated cyberattack occurred that likely resulted in a limited unauthorized access to a database on June 19, 2014. The database stores data that members and other individuals used to access CareFirst's website. Mandiant has completed its review and has found no evidence of any other prior or subsequent attack or evidence that other personal information was accessed.
CareFirst reported the attack to the Federal Bureau of Investigation (FBI) and is cooperating with the investigation. Any inquiries regarding the investigation should be directed to the FBI.
CareFirst did detect the initial attack and took immediate action to contain the attack. At the time CareFirst believed that we had contained the attack and prevented any actual access to member information. The evidence that data was accessed was found as part of a comprehensive assessment conducted as part of CareFirst's ongoing information security efforts in the wake of cyberattacks on other health care companies.
The investigation determined that the attackers could have potentially acquired the unique user name you created as part of your registration to use CareFirst's online services at www.carefirst.com, as well as your name, birth date, email address, and subscriber identification number. The database accessed by attackers contained no member Social Security numbers, medical claims, employment, credit card, or financial information.
The information accessed as part of this attack is of limited utility to others. It is important to understand that they did not gain access to the password you set up because CareFirst keeps the password in a separate database that is encrypted. Without the password the attackers could not reach any underlying information including your social security number, medical information, claims information, credit card, banking or financial information. The user name alone cannot be used to access member information without the associated password.
Information for CareFirst members who created online accounts at www.carefirst.com prior to June 20, 2014 was potentially accessed in this attack. Members who enrolled to use CareFirst online services on or after June 20, 2014 are not affected because their enrollment occurred after the date of the unauthorized access.
Members who created accounts on www.carefirst.com prior to June 20, 2014 are affected by this incident. CareFirst is mailing letters to all affected members and those affected should receive a notification letter in the next 1 to 3 weeks. Members who enrolled to use CareFirst online services on or after June 20, 2014 are not affected because their enrollment occurred after the date of the unauthorized access.
No. The database affected contains no member social security numbers, medical claims, employment, credit card, financial, or any other information about you.
Limited personal information was accessed as a result of this attack. Nonetheless, CareFirst is offering two years of free credit monitoring and identity theft protection services to those members affected through Experian's® ProtectMyID® Alert. Affected members will receive a letter from CareFirst within the next two weeks. That letter will contain a personalized code that will be used to access the free protection services. If you have received a letter, you can click on the link at www.carefirstanswers.com to enroll or call Experian at 888-451-6562.
Again, you must have the personalized code contained in your notification to enroll online. Likewise, you will not be able to enroll at the number above until you have received a letter with your personalized code.
Dependents under 18 for whom an account was created on www.carefirst.com will receive a letter in care of the parent or guardian notifying them and detailing how to enroll in Experian's® Family Secure service.
In addition to offering two years of free credit monitoring and identity theft protection for those affected, CareFirst is requiring affected members to create new user names and passwords to continue to access their information through www.carefirst.com. This is a simple process and members needing to do so will be prompted and provided instructions on how to do so when visiting carefirst.com.
The attack was reported to the FBI and we will continue to work both internally and with industry-leading experts to strengthen and enhance our IT security.
You can enroll once you receive a letter with your personalized code.
Click here or call 888-451-6562. Please be sure to have the engagement number and activation code included in your letter.
CareFirst has established a process to provide you with access to credit monitoring and identity theft protection if you were impacted by the cyberattack but did not receive a letter. Click on the tab labeled "Didn't Get a Letter?" There, you will see a substitute notice letter for individuals who did not receive a letter in the mail. Follow the instructions in the notice to receive via email the personalized code necessary to enroll in the protections offered by CareFirst.
If you are affected you will receive a letter from CareFirst containing the engagement number and activation code necessary to enroll in credit monitoring and identity theft protection. You cannot enroll until you receive a letter notifying you that you have been affected.
Yes. Affected CareFirst members must create new user names and passwords to access their information through My Account on www.carefirst.com. This is a simple process and members needing to do so will be prompted and provided instructions on how to do so when visiting carefirst.com.
CareFirst will not contact members by email or make unsolicited phone calls to you about this attack. If you receive inquiries by phone, email or social media purporting to be related to this attack, they are not from CareFirst.
You should be aware that you may receive scam and phishing emails claiming to be from CareFirst in relation to this attack. If you receive an email claiming to be related to this attack you should take the following steps:
DO NOT reply to the email or reach out to the sender/s in any way.
DO NOT enter any information on any website that may open, if you have clicked on a link in the email.
DO NOT open any attachments included in the email.
You can learn more about protecting yourself online at:
We first learned of the attack on April 21, 2015 when the review of CareFirst's systems was not yet complete. This was when Mandiant discovered that a cyberattack occurred and likely resulted in a limited unauthorized access to a database. It was necessary to complete the comprehensive forensic information technology review of all of CareFirst's systems to understand the nature of the attack, the information potentially accessed, and the members who were affected. In addition, the comprehensive review was necessary to determine that there was no evidence of any prior or ongoing attacks and to take steps necessary to ensure the integrity of the system.
No. The information potentially accessed as a result of the attack was for CareFirst members - specifically CareFirst members who created online accounts on www.carefirst.com prior to June 20, 2014.