CareFirst Admits More Than a Million Customer Accounts Were Exposed In Security Breach

An anonymous reader writes with news, as reported by The Stack, that regional health insurer CareFirst BlueCross BlueShield, has confirmed a breach which took place last summer, and may have leaked personal details of as many as 1.1 million of the company's customers: "The Washington D.C.-based firm announced yesterday that the hack had taken place in June last year. CareFirst said that the breach had been a 'sophisticated cyberattack' and that those behind the crime had accessed and potentially stolen sensitive customer data including names, dates of birth, email addresses and ID numbers. All affected members will receive letters of apology, offering two years of free credit monitoring and identity threat protection as compensation, CareFirst said in a statement posted on its website." Free credit monitoring is pretty weak sauce for anyone who actually ends up faced with identity fraud.

Criminal liability ...

[gstoddart]

The only way to fix this is criminal liability, with very stiff fines.

If they're going to continue to be incompetent at security, hit them where it hurts ... right in the profits.

As long as corporations can say "oops" and just pretend that two years of credit tracking like this, nothing at all will change.

Until then, corporations will be as incompetent and lazy as the law allows ... which is pretty much as incompetent and lazy as they want to be.

If you don't make the company pay actual fines, escalating to much bigger things for repeat offenses, corporations will simply do whatever their PR consultants tell them they can get away with ... basically nothing.

Re: Criminal liability ...

[Old97]

Care First is a not for profit company. No shares. No investors. It's member owned.

Re: Criminal liability ...

[Anonymous Coward]

That matters nothing when I have fabrications to get upset about.

Re:

[Dunbal]

Kind of like - the federal reserve?

Re:

[l0n3s0m3phr34k]

Doesn't matter, HIPAA law doesn't have a designation that says "non-profits don't have to follow this law". Care First should be receiving a fine for every piece of lost information. Just because it's member owned doesn't mean they don't have to do security audits, real-time monitoring, etc. If anything these "members" who own it should be on the hook personally for the fines. If it's "your business" (ie, member owned) and your making profit off it, you should also be an active participant in the business

Re:

[Etherwalk]

Care First is a not for profit company. No shares. No investors. It's member owned.

You are aware that perhaps a majority of nonprofits are shams designed to pull money out as salary and the like, right?

Re:

[Old97]

I work for one. They aren't shams in that there is no profit for shareholders. Yes, the top execs compensate themselves very very well. I'm a top of the heap individual contributor and highly paid and our CEO still makes about 100 times I do - literally. You'd think they'd return some to the "owners" (members), but they only do that - premium adjustments - when competitive or regulatory pressures give them no choice.

Re:

[pnutjam]

Yes, our corporations are anti-capitalistic by design. They take capital and remove the owners ability to control it.

Re:

[Dunbal]

Agree 100% with your post. But it will never happen. No one wants to be the prosecutor/judge who put 10,000 people out of work. So we get slaps on the wrist and miniscule fines, and corporations just go on doing what they feel like doing with lipservice to laws that would easily have any one of us in jail serving consecutive sentences.

Re:

[countSudoku()]

Forget all that, it'll never make it in front of a judge/jury because the lobbyists will be paying off anyone who even THINKS of making a noise against their precious "too big to fail" health company who never hurt anybody ever and always brushes their teeth before bed and never says a discouraging word. How dare we want our privacy. :/

Re:

[bobbied]

I thought we had that with HIPPA.... Did I miss something?

Maybe it's enforcement that's lacking? Actually, take them to civil court, recover damages... That will fix them..

Re:

[Chris Mattern]

I thought we had that with HIPPA.... Did I miss something?

The fact that there's no such thing as "HIPPA"? Perhaps you meant "HIPAA" ("Health Insurance Portability and Accountability Act").

Re:

[antiperimetaparalogo]

The only way to fix this is criminal liability, with very stiff fines.

I agree... have those cyberattackers pay for the rest of their lives.

If they're going to continue to be incompetent at security, hit them where it hurts ... right in the profits.

As long as corporations can say "oops" and just pretend that two years of credit tracking like this, nothing at all will change.

Until then, corporations will be as incompetent and lazy as the law allows ... which is pretty much as incompetent and lazy as they want to be.

If you don't make the company pay actual fines, escalating to much bigger things for repeat offenses, corporations will simply do whatever their PR consultants tell them they can get away with ... basically nothing.

Oh... wait... you mean punish the victim!? If criminal negligence exists, then o.k., but don't accuse the victim (and the "corporations" in this example are victims also) for the success of the criminals.

Re:

[l0n3s0m3phr34k]

Their only a "victim" due to lax security. The corporation broke the law too, by not properly securing their data as required by HIPAA law. And we SHOULD accuse them partially for the success of the criminals, as they enabled them twice. Once by having crap security, and two by not even noticing for an entire year. The HIPAA law might have changed since I did audits, but your supposed to do them on a yearly basis as well. So, triple failure.

As a side note, there seems to be a marketing opportunity he

Re:

[Holladon]

If CareFirst didn't want to get hacked, it shouldn't have been wearing a miniskirt!

Re:

[larwe]

Do you live in the United States? It's considered practically a constutitional right here to be able to get a credit card online, or order a cellphone and service (which requires a credit card) online. Or to be able to call a 1-800 number and get a new La-z-boy delivered on credit terms.

Re:

[cusco]

Won't make any difference until you make corporate executives legally/financially responsible.

Re:

[larwe]

I disagree. If you create a system of monetary punishments, they'll simply get insurance to cover those. What's needed is criminal liability for negligent data security, WITH PRISON TIME. If we can jail a hacker, we can also jail the doofus who put a Post-It on the company datacenter door saying "key is under the mat". This sort of thing is never, ever going to go away. It's one of the prime reasons why I think forced electronic health record sharing is an incredibly stupid idea with an enormous downside a

Re:

[Jane Q. Public]

As long as corporations can say "oops" and just pretend that two years of credit tracking like this, nothing at all will change.

Until then, corporations will be as incompetent and lazy as the law allows ... which is pretty much as incompetent and lazy as they want to be.

When a few events like this happened last year to Home Depot and a few others, I saw a couple of those letters with offers of free credit monitoring, etc.

IANAL, but I am pretty sure these are just attempts to stave off lawsuits. There is nothing binding about the "offers", and they don't preclude you from suing them for liability if you are an actual victim of identity theft.

I think what this will actually take, are some people willing to step up and kick off some big suits. It is those kinds of damag

One thing to consider...

[cayenne8]

...do NOT give your social security number to any company for anything other than SS taxation.

I don't give it to insurance companies, nor to the utilities (yes I pay a deposit but I don't give them my SS number), etc.

You may have to argue a bit and get a manager, but if nothing else, if you can keep your SS number out of systems that will potentially be broken into, at least they won't get that info.

Re:

[bluefoxlucid]

That's okay, databases of names, addresses, and dates of birth are valuable for identity crimes, anyway. I can open new credit accounts with my bank without providing my social security ID.

Re:

[ColdWetDog]

Don't work. In a number of states you HAVE to give the registration desk at the hospital your SSN. Otherwise you are in violation of some idiot state law. Sure, you can get emergency care by forgetting your name and SSN, but try to get some normal health care and yet another obstacle will be tossed in your face.

Federal law now states you have to give the desk a 'government issued ID' for ANY care.

May I see your passport, please?

Re:One thing to consider...

[ColdWetDog]

Oh, and why is it always a 'sophisticated Cyberattack'? That wording is exactly the same as in the letter I recently received outlining the Primera BC/BS data breech" [slashdot.org] which happened over a year ago. Must be the same nasty cyber criminals. Or maybe the same unpatched SQL injection bug from 2005.

Re:

[gstoddart]

Oh, and why is it always a 'sophisticated Cyberattack'?

Because if they didn't call it that, they might have to say "because we're screamingly incompetent".

You can bet your ass that PR firms and image consultants play a huge part in how this is announced and described.

And "yarg, teh highly sophisticated hax0rs pwned us" puts them in the best possible light.

Now, how difficult and sophisticated the actual attack was, I have no idea.

Re:

[countSudoku()]

HAHA! Or just some pissed-off, underpaid employee with an axe to grind and a spare USB stick, but that is not as fearful news as "sophisticated cyber criminales"

Re:

[unrtst]

In a number of states you HAVE to give the registration desk at the hospital your SSN. ... Federal law now states you have to give the desk a 'government issued ID' for ANY care.

While that law is silly, those two statements aren't exactly the same. My state issued ID does not include my SSN.

Re:

[ColdWetDog]

No, they aren't the same but it points out that you have to give a health care facility quite a bit of information before they let you in the door. Sometimes you can get away without giving them your SSN (as if that would help), other times no.

Some states do put the SSN on the driver's license. One stop shopping!

Re:

[Cro Magnon]

My state doesn't put the SSN on the driver's license, but it did for years. By now I'd guess every 2-bit hacker from here to Russia probably has it. :-P

Re:

[Sarten-X]

In a number of states you HAVE to give the registration desk at the hospital your SSN. Otherwise you are in violation of some idiot state law. ... Federal law now states you have to give the desk a 'government issued ID' for ANY care.

[citation needed]

I used to work in medical data, and SSNs are actually explicitly prohibited in a number of states. I never encountered any state that required them. I'm also particularly skeptical of your "ANY care" comment, as that would prohibit care for foreigners, vagrants, emergencies, and many accidents.

Unfortunately, it is true that many doctors' record systems require the field. I quickly lost count of how many different patients apparently had 123-45-6789 for their SSN.

Re:

[ColdWetDog]

Alaska law requires it. Presumably Washington state requires it (at least some clerk told me that, I did not bother to look through the statue books).

Re:

[praxis]

It's a pretty weak citation to say a state requires it, when you can't even be bothered to look if they require it.

What you stated is that in Alaska, one may be refused emergency care if one does not provide a social security number. That is a pretty strong statement and requires a more rigorous citation than "Alaska law requires it". I'm not an expert in searching statutes, but I could find no such statute.

Re:

[Sarten-X]

Alaska statute 45.48.410 [findlaw.com] explicitly permits hospitals to ask, but I can't find a statute that requires it.

Re:

[Anonymous Coward]

...do NOT give your social security number to any company for anything other than SS taxation.

I don't give it to insurance companies, nor to the utilities (yes I pay a deposit but I don't give them my SS number), etc.

You may have to argue a bit and get a manager, but if nothing else, if you can keep your SS number out of systems that will potentially be broken into, at least they won't get that info.

You need to understand something, between the credit bureaus; ChoicePoint; Medical Information Bureau; and all the other for profit businesses that collect data, collate it, and organize it; as well as other insurance companies AND your employer; with just a couple of pieces of identifying information, I can get your SSN.

The only we can do is freeze our credit and hope for the best.

Is this accounts hacking day?

[ArcadeMan]

This is the third news about massive amounts of accounts being hacked in less than eight hours.

Re:

[Anonymous Coward]

And as an IT dude going on 20 years I can say that most of these instances of data theft are due to "get it to market now we don't care if it's perfect" thinking and not just incompetence.

I've been in the war room with the developer saying "yeah, we knew that was an issue, we were going to address it in the next release" so many times. In one particular case my team (IT Ops) had been warning the dev team for months about a SQL injection problem, including showing them a posting on a website listing our doma

Re:

[Sarten-X]

CareFirst puts healthcare first, and security somewhere around eighty-ninth.

Re:

[ColdWetDog]

I suspect that CareFirst puts it's financial bottom line first and everything else a distant 115th.

Re:

[FranTaylor]

from their web site:

"In its 77th year of service, CareFirst BlueCross BlueShield is a not-for-profit, non-stock health services company"

ACA Database

[g0bshiTe]

I'm just waiting till the treasure trove that is the national ACA exchange gets hacked.

I imagine if/when it happens there will be no mention of it as it would mean every American registered in it would want heads to actually roll.

Security Rehash Part Deux

[ripvlan]

The more I see this happen - the more I think we need to change the economy for stolen data. Remember when they stopped arresting prostitutes and targeted the John's ? Locks can be picked and there to keep honest people honest. Credit monitoring must be pretty cheap as more companies buy it as an insurance product. This data is going to be stolen !

Now we need to make it worthless.

In the world of digital "signup on the web" stolen data can be used pretty quickly. Like the bad checks loop hole (popular o

Re:

[Dunbal]

Remember when they stopped arresting prostitutes and targeted the John's ?

Yes that put a stop to prostitution all right. Er wait, what? What do you mean there's still prostitution?

It's one thing to try to come up with solutions. It's another to come up with solutions that actually work.

Re:

[ripvlan]

It didn't eradicate it. However - the numbers of "users" dropped significantly. It was considered a turning point in how to deal with the problem.

Re:

[Dunbal]

Did the number of "users" drop because of the switch in tactics by the police, or did it drop along with the overall drop in crime? And did prostitution really drop at all, or did it just migrate from the street corner to escort services, craigslist and twitter? Not as black and white as you think.

I was one of the happy customers.

[Bovius]

We did get a letter about the security breach, and the offer for 2 free years identity theft protection, so...thanks, I guess? Nothing horrible has happened yet, but as far as I can tell, we don't really have any recourse other than sitting and waiting for bad things to occur. No actionable information provided.

The notice they sent us went out months after they found out about it. Which I'm kind of grumpy about, but at least to some degree makes sense. They don't want to go public with the information until

laugh

[koan]

It's sad I have been offered this

two years of free credit monitoring and identity threat protection as compensation

6 times now, and from 6 different corps.

And this..

'sophisticated cyberattack'

is bullshit..
http://krebsonsecurity.com/201... [krebsonsecurity.com]

Turns out, the same bulk registrant in China that registered the phony Premera and Anthem domains in April 2014 also registered two Carefirst look-alike domains — careflrst[dot]com (the “i” replaced with an “L”) and caref1rst[dot]com (the “i” replaced with the number “1”).

Additionally, ThreatConnect has unearthed evidence showing the same tactics were used on EmpireB1ue.com (note the “L” replaced with a number “1”), a domain registered April 11, 2014 (the same day as the phony Carefirst domains). EmpireBlue BlueCross BlueShield was one of the organizations impacted by the Anthem breach.

what a great idea

[FranTaylor]

what a great way for IT professionals to get rich: breach their own employer's computer systems and steal their own data.

Ooh! A letter of apology!

[rnturn]

Try taking that with you to the bank when you try applying for a loan after your credit has been trashed by an identity thief. See how far along the loan approval process that letter gets you.

WTF are you supposed to do with a damned letter? Feel all warm and fuzzy that they care?

Re:

[praxis]

I would hand the letter to my lawyer, who would then work with credit bureaus to clean up fraudulent activity on my credit report.

Re:

[FranTaylor]

I would hand the letter to my lawyer, who would then work with credit bureaus to clean up fraudulent activity on my credit report.

does he do this kind of stuff for free?

Re:

[praxis]

No of course not, but if I were in the market for a loan from a bank, having him do that would be well-worth the long term loan-costs he could save me.

Re:

[lgw]

10 years ago this was a real problem. Now it just takes a few calls to clear everything up, and a few weeks for it to all get sorted out. Yeah, it sucks you have to waste hours on it, but the credit agencies have a procedure for identity theft reporting now.

If you're ever worried something might happen, just flag your account for fraud. Once you do that, opening any new accounts will require they call you to confirm (which should be the default IMO).

Of course, the real problem is that we're all far to mu

Re:

[FranTaylor]

yeah there's a system that for sure will never ever be breached by hackers

This is why IT should be a licensed profession

[ErichTheRed]

I know very few people agree with me on this one, but this is a perfect example of where professional licensure of at least the design part of IT and SW development could prevent problems. No civil engineer with the PE designation would sign off on a dumb design because they and/or their firm would be personally responsible for faulty work, and companies couldn't pressure people into doing so. Engineering of real world systems involves using proven methods and thoroughly testing anything new or different be

Re:

[FranTaylor]

where professional licensure of at least the design part of IT and SW development could prevent problems

this is like saying that professional licensing of auto mechanics will reduce the incidence of drunk driving

So this means ...

[jc42]

... All affected members will receive letters of apology, offering two years of free credit monitoring and identity threat protection as compensation, ...

So they're saying that they have such monitoring/protection, but members who aren't explicitly paying extra for such monitoring/protection aren't being protected from identity theft in any way?

Somehow, I don't find this surprising. But I'm a bit surprised that they'd admit it so blatantly and openly.

(Actually, I'm a bit dubious about their implicit claim to have such monitoring/protection already. But it's fairly common for companies to make such claims for PR purposes, without bothering to actually

June of last year

[supernova00]

"[...] announced yesterday that the hack had taken place in June last year" Why the heck did it take them a year to disclose this? Did someone finally leak this information and they finally had to admit to it?

Sophisticated cyberattack?

[nickweller]

Are there any technical details regarding this 'sophisticated cyberattack', or was it yet another SQL exploit or altering a URL and scraping the database?