More than 1.1 million user records have been compromised following a hack against US health insurer CareFirst BlueCross BlueShield.
Data including members’ names, birth dates, email addresses and subscriber identification numbers may have been stolen by hackers as a result of a security breach last July.
The hack was only discovered after CareFirst audited its systems following a spate of attacks against other health insurers in recent months.
FireEye Mandiant, the security firm called in to audit Carefirst, discovered that "attackers gained limited, unauthorized access to a single CareFirst database".
Evidence suggests passwords, social security numbers, financial information or medical claims were not exposed by the breach.
As such the biggest immediate problem from the breach comes from the risk that crooks might use the purloined data to coax victims into disclosing yet more information via phishing attacks or similar ruses.
To its credit CareFirst has apologised for the breach and offered the victims two years of free credit monitoring services via a prominent notice on its website.
CareFirst BlueCross BlueShield has confirmed that cyberattackers gained limited, unauthorized access to a CareFirst database.
We understand that the security of your information is important and we are taking steps to protect members in light of this attack and moving forward.
We are offering two years of free credit monitoring and identity theft protection services for those members affected. If you have been affected, you will receive a letter from CareFirst.
CareFirst chief exec Chet Burrell has apologised in a video that can be found on carefirstanswers.com. Commentary on the impact of the incident can be found in a blog post by industry veteran Graham Cluley on the TripWire State of Security blog here. ®