Attorney General Racine Alerts District Consumers to Security Breach Affecting CareFirst’s Online Customers

Health-Coverage Network’s Database for Online Subscribers Hacked

Washington, DC – Attorney General Karl A. Racine today alerted District residents to a cyberattack on the CareFirst BlueCross BlueShield network that may have affected thousands of customers in D.C. The attackers gained limited access to a database of accounts for those doing online business with the health-coverage network. The information to which the attackers gained access may have included the subscribers’ usernames as well as their legal names, birthdates, e-mail addresses and member identification numbers.

“This cyberattack is another example of why it is important, in this wired age, for individual consumers to be vigilant about their personal information,” Attorney General Racine said. “Consumers should always keep a close watch on their bank accounts, regularly monitor their credit reports, and call their financial institutions if anything seems amiss.”

According to CareFirst, the database that the attackers breached did not contain member Social Security numbers, medical claims, employment information, credit card numbers, or financial information. The company reports that approximately 1.1 million customers who registered to use CareFirst’s websites prior to June 20, 2014, have been affected by this event.

Have You Been Affected?
CareFirst is mailing letters to all affected members, and those letters should be received within three weeks. The company is offering free credit-monitoring services to affected members for up to two years. Members who enrolled to use CareFirst online services on or after June 20, 2014 are not affected.

If you believe you may have been affected because you registered to use CareFirst’s website before June 20, 2014 but do not receive a letter within the next three weeks, call CareFirst at (888) 451-6562.

The breach was discovered as part of a CareFirst review of its information-technology systems conducted by the cybersecurity firm Mandiant. The review determined that cyberattackers gained access to the database in June 2014.

More information about the cyberattack can be found at www.carefirstanswers.com.

More information on the Office of the Attorney General’s consumer-protection efforts is available at http://oag.dc.gov/consumerprotection.