CareFirst Admits More Than a Million Customer Accounts Were Exposed In Security Breach

← Back to Stories (view on slashdot.org)

CareFirst Admits More Than a Million Customer Accounts Were Exposed In Security Breach

Posted by timothy on Thursday May 21, 2015 @05:04AM from the camel-cased-in-triplicate dept.

An anonymous reader writes with news, as reported by The Stack, that regional health insurer CareFirst BlueCross BlueShield, has confirmed a breach which took place last summer, and may have leaked personal details of as many as 1.1 million of the company's customers: "The Washington D.C.-based firm announced yesterday that the hack had taken place in June last year. CareFirst said that the breach had been a 'sophisticated cyberattack' and that those behind the crime had accessed and potentially stolen sensitive customer data including names, dates of birth, email addresses and ID numbers. All affected members will receive letters of apology, offering two years of free credit monitoring and identity threat protection as compensation, CareFirst said in a statement posted on its website." Free credit monitoring is pretty weak sauce for anyone who actually ends up faced with identity fraud.

17 of 82 comments (clear)

Min score:

Reason:

Sort:

Criminal liability ... by gstoddart · 2015-05-21 05:08 · Score: 4, Insightful

The only way to fix this is criminal liability, with very stiff fines.
If they're going to continue to be incompetent at security, hit them where it hurts ... right in the profits.
As long as corporations can say "oops" and just pretend that two years of credit tracking like this, nothing at all will change.
Until then, corporations will be as incompetent and lazy as the law allows ... which is pretty much as incompetent and lazy as they want to be.
If you don't make the company pay actual fines, escalating to much bigger things for repeat offenses, corporations will simply do whatever their PR consultants tell them they can get away with ... basically nothing.

--
Lost at C:>. Found at C.
1. Re: Criminal liability ... by Old97 · 2015-05-21 05:25 · Score: 4, Interesting
  
  Care First is a not for profit company. No shares. No investors. It's member owned.
  
  --
  Very often, people confuse simple with simplistic. The nuance is lost on most. - Clement Mok
2. Re:Criminal liability ... by Dunbal · 2015-05-21 05:30 · Score: 2
  
  Agree 100% with your post. But it will never happen. No one wants to be the prosecutor/judge who put 10,000 people out of work. So we get slaps on the wrist and miniscule fines, and corporations just go on doing what they feel like doing with lipservice to laws that would easily have any one of us in jail serving consecutive sentences.
  
  --
  Seven puppies were harmed during the making of this post.
3. Re:Criminal liability ... by Chris+Mattern · 2015-05-21 06:14 · Score: 2
  
  I thought we had that with HIPPA.... Did I miss something?
  The fact that there's no such thing as "HIPPA"? Perhaps you meant "HIPAA" ("Health Insurance Portability and Accountability Act").
4. Re: Criminal liability ... by l0n3s0m3phr34k · 2015-05-21 09:45 · Score: 2
  
  Doesn't matter, HIPAA law doesn't have a designation that says "non-profits don't have to follow this law". Care First should be receiving a fine for every piece of lost information. Just because it's member owned doesn't mean they don't have to do security audits, real-time monitoring, etc. If anything these "members" who own it should be on the hook personally for the fines. If it's "your business" (ie, member owned) and your making profit off it, you should also be an active participant in the business.
5. Re:Criminal liability ... by l0n3s0m3phr34k · 2015-05-21 09:56 · Score: 2
  
  Their only a "victim" due to lax security. The corporation broke the law too, by not properly securing their data as required by HIPAA law. And we SHOULD accuse them partially for the success of the criminals, as they enabled them twice. Once by having crap security, and two by not even noticing for an entire year. The HIPAA law might have changed since I did audits, but your supposed to do them on a yearly basis as well. So, triple failure.
  
  As a side note, there seems to be a marketing opportunity here for security companies to do active domain name "dyslexic" attacks. It seems it would be trivial to have a script that transposes numbers into the real URL and does a WHOIS on a scheduled basis. Really, there are probably a dozen employees at Carefirst who could do this. At my job, probably over 50% of the people I directly work with could either do this off the top of their head or figure out how to do this in a few days; and their not even programmers or such.
6. Re: Criminal liability ... by Etherwalk · 2015-05-21 10:26 · Score: 2
  
  Care First is a not for profit company. No shares. No investors. It's member owned.
  You are aware that perhaps a majority of nonprofits are shams designed to pull money out as salary and the like, right?
One thing to consider... by cayenne8 · 2015-05-21 05:09 · Score: 2

...do NOT give your social security number to any company for anything other than SS taxation.
I don't give it to insurance companies, nor to the utilities (yes I pay a deposit but I don't give them my SS number), etc.
You may have to argue a bit and get a manager, but if nothing else, if you can keep your SS number out of systems that will potentially be broken into, at least they won't get that info.

--
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
1. Re:One thing to consider... by ColdWetDog · 2015-05-21 05:28 · Score: 3, Insightful
  
  Oh, and why is it always a 'sophisticated Cyberattack'? That wording is exactly the same as in the letter I recently received outlining the Primera BC/BS data breech" which happened over a year ago. Must be the same nasty cyber criminals. Or maybe the same unpatched SQL injection bug from 2005.
  
  --
  Faster! Faster! Faster would be better!
2. Re:One thing to consider... by unrtst · 2015-05-21 05:33 · Score: 2
  
  In a number of states you HAVE to give the registration desk at the hospital your SSN. ... Federal law now states you have to give the desk a 'government issued ID' for ANY care.
  While that law is silly, those two statements aren't exactly the same. My state issued ID does not include my SSN.
3. Re:One thing to consider... by gstoddart · 2015-05-21 05:35 · Score: 2
  
  Oh, and why is it always a 'sophisticated Cyberattack'?
  Because if they didn't call it that, they might have to say "because we're screamingly incompetent".
  You can bet your ass that PR firms and image consultants play a huge part in how this is announced and described.
  And "yarg, teh highly sophisticated hax0rs pwned us" puts them in the best possible light.
  Now, how difficult and sophisticated the actual attack was, I have no idea.
  
  --
  Lost at C:>. Found at C.
4. Re:One thing to consider... by Sarten-X · 2015-05-21 05:47 · Score: 2
  
  In a number of states you HAVE to give the registration desk at the hospital your SSN. Otherwise you are in violation of some idiot state law. ... Federal law now states you have to give the desk a 'government issued ID' for ANY care.
  [citation needed]
  I used to work in medical data, and SSNs are actually explicitly prohibited in a number of states. I never encountered any state that required them. I'm also particularly skeptical of your "ANY care" comment, as that would prohibit care for foreigners, vagrants, emergencies, and many accidents.
  Unfortunately, it is true that many doctors' record systems require the field. I quickly lost count of how many different patients apparently had 123-45-6789 for their SSN.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
5. Re:One thing to consider... by Sarten-X · 2015-05-21 08:12 · Score: 2
  
  Alaska statute 45.48.410 explicitly permits hospitals to ask, but I can't find a statute that requires it.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
Is this accounts hacking day? by ArcadeMan · 2015-05-21 05:15 · Score: 3, Interesting

This is the third news about massive amounts of accounts being hacked in less than eight hours.

--
Get free satoshi (Bitcoin) and Dogecoins
ACA Database by g0bshiTe · 2015-05-21 05:16 · Score: 2

I'm just waiting till the treasure trove that is the national ACA exchange gets hacked.

I imagine if/when it happens there will be no mention of it as it would mean every American registered in it would want heads to actually roll.

--
I am Bennett Haselton! I am Bennett Haselton!
laugh by koan · 2015-05-21 05:46 · Score: 2

It's sad I have been offered this

two years of free credit monitoring and identity threat protection as compensation
6 times now, and from 6 different corps.
And this..

'sophisticated cyberattack'
is bullshit..
http://krebsonsecurity.com/201...

Turns out, the same bulk registrant in China that registered the phony Premera and Anthem domains in April 2014 also registered two Carefirst look-alike domains — careflrst[dot]com (the “i” replaced with an “L”) and caref1rst[dot]com (the “i” replaced with the number “1”).
Additionally, ThreatConnect has unearthed evidence showing the same tactics were used on EmpireB1ue.com (note the “L” replaced with a number “1”), a domain registered April 11, 2014 (the same day as the phony Carefirst domains). EmpireBlue BlueCross BlueShield was one of the organizations impacted by the Anthem breach.

--
"If any question why we died, Tell them because our fathers lied."
Re:Ooh! A letter of apology! by FranTaylor · 2015-05-21 08:48 · Score: 2

I would hand the letter to my lawyer, who would then work with credit bureaus to clean up fraudulent activity on my credit report.
does he do this kind of stuff for free?