On May 20, 2015, CareFirst announced it has been the target of a sophisticated cyber attack. A single data base in which CareFirst stores data that members and other individuals enter to access CareFirst’s websites and online services was compromised. The data included:
Unique member username created by members when registering to use www.carefirst.com
Name
Birth date
Email address
Subscriber identification number
No passwords were in the database and usernames require the associated password to be used to access carefirst.com. Additionally, no member Social Security numbers, medical claims, employment, credit card, financial, or any other member information was involved.
CareFirst will begin mailing letters to approximately 1.1 million affected members shortly. Though they believe the risk to affected members is not great because of the nature of the information involved, they hope to provide affected members with additional peace of mind by offering two free years of credit monitoring and identity theft protection services. More information about these services will be provided in the letter to members who are impacted by the breach.
CareFirst has established the following resources for member questions:
A dedicated call center – 888-451-6562 (International customers may call 479-573-7373)
A dedicated website – www.carefirstanswers.com
At this time the state of Maryland Employee Benefits Division (EBD) does not know how many state of Maryland participants may have been affected by the cyber attack. As information becomes available, EBD will share it with TU OHR and post it on the State of Maryland Health Benefits website.
