Thursday, 21. May 2015

What You Need to Know about the CareFirst Breach

On May 20, CareFirst BlueCross BlueShield announced that they were the victim of a data breach in June 2014 that affects 1.1 million current and former customers.

This is the third major healthcare data breach affecting an affiliate of the BlueCross BlueShield network coming after the Anthem data breach announced in February and the Premera data breach announced in March.

Compared to those two data breaches, this latest is less severe. The number of people affected is less. And the information lost is less severe. According to CareFirst, the data breach affects:

•  member-created user names
•  members’ names
•  members’ birth dates
•  members’ email addresses
•  subscriber identification number.

The data breach does not affect:

members’ passwords
members’ Social Security numbers
members’ medical claims
members’ employment
member’s credit card
member’s financial information

This means that the main risks that those affected face are an increased risk of spam/phishing attacks from attackers using the stolen information.

However there is another risk that everyone needs to be aware of: the risk of increased spam and phishing attacks that leverage concern around this situation.  And CareFirst’s response has, unfortunately, made the attackers’ jobs easier.

CareFirst has put up a new website to provide information about this attack. Unfortunately, this new website can facilitate spam and phishing attacks for two reasons:

1. It uses a new, custom URL that’s not the main domain.

image 1


2. Currently, it does not support SSL by default.


image 2

And in fact the current certificate for the site doesn’t actually match the domain.


image 3

Taken together, the well-intentioned Carefirst information site makes it easy for attackers to set up competing scam sites using other plausible sounding domains, direct concerned people to the site, instruct them to provide personal information to register for their free credit monitoring and then harvest that information for malicious purposes. In fact, if a scam site were to do this using SSL, it would seem MORE secure and legitimate than the official Carefirst site.

What you can do to protect yourself is if you’re concerned about this situation, don’t go to any website other than the official Carefirst site:

image 4


This site does redirect to but you can verify that you’re on the official site by verifying the SSL certificate.

image 5

Once on the official Carefirst site, you can get further information on the situation and what you can do.

This attack continues the trend that we outlined in our Q1 2015 Security Roundup for major healthcare related data breaches in the United States. Based on that, we’re reaching a point where everyone should be extra watchful of activity involving their personal and financial information. This data breach actually occurred 11 months ago, which means that attackers have had this information that long without the victims knowing it. There likely are other data breaches that have happened or are happening that we don’t know about yet.

In addition to increased vigilance, using security products that have robust antispam and antiphishing capabilities like Trend Micro™ Internet Security can also help protect against these sorts of attacks.

Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.