In the latest disclosure of a cyberattack against a health insurer, CareFirst BlueCross BlueShield says that attackers gained access to a database that included the names of 1.1 million people.
The company said Wednesday that the breach happened in June after a "sophisticated cyberattack." The attackers got into a database that included the names, usernames, birth dates, email addresses and subscriber ID numbers of about 1.1 million current and former members and people who did business with CareFirst.
The attackers did not get access to members' passwords because those are encrypted and stored in a separate system, CareFirst said. They also didn't get access to Social Security numbers, medical claims, or credit cards, and the company said there is no evidence of other breaches.
CareFirst is based in Baltimore. It provides health insurance and services to 3.4 million people in Maryland, Northern Virginia and Washington, D.C. The company is offering two years of free credit monitoring and identity theft protection to consumers affected by the breach.
Earlier this year Anthem, the second largest health insurer in the U.S., disclosed a data breach that affected as many as 80 million people. Premera Blue Cross, a health insurer based in the Pacific Northwest, said a breach may have exposed information belonging to 11 million people.
Health care data breaches have grown over the last few years, and researchers at security software maker Symantec say the health care industry has become a major target for cyber criminals. That's partly because their systems may be more easily breached than banks and retailers, which were frequent targets in years past.