The nonprofit health insurer, which serves 3.4 million individuals and groups in Maryland, D.C. and Northern Virginia, said a single database was breached June 19, 2014. It said hackers may have had access to users’ names, birth dates, email addresses and subscriber identification numbers.
In light of previous cyberattacks on health insurers (most famously Anthem Inc.), CareFirst engaged Herndon-based cybersecurity firm Mandiant to conduct an examination of its IT systems. That investigation uncovered evidence of the attacks, though no other data breaches were detected. Traces of the attack were first detected on April 21, 2015.
He added that the attacks were sophisticated enough to go completely undetected by the company’s own security efforts, saying only traces of evidence remain from the attacks.
“We have constant monitoring going on, every second of every day, but the nature of this attack was sophisticated enough that we couldn’t detect it,” he said.