As many as 1.1 million Washington, D.C., BlueCross BlueShield members may have had their information accessed in a cyber-breach that occurred in June of 2014.
CareFirst BlueCross BlueShield announced Wednesday it had been the target of a "sophisticated cyberattack," the company said in a release.
The attackers could have potentially acquired members' names, birth dates, email addresses and subscriber identification numbers.
However, CareFirst said its user names must be used in conjunction with a member-created password to gain access to underlying member data on the website.
The database that was breached did not include these passwords, which were encrypted and stored in a separate system as a safeguard against such attacks.
That means the attackers did not have access to member Social Security numbers, medical claims, employment, credit card, or financial information, CareFirst said.
The company is blocking member access to the accounts that might have been compromised, and is asking members to create new user names and passwords for them.
All affected users will be sent letters granting them two years of free credit monitoring and identity theft protection, the company said in a statement posted on its site.
The attack came to light when CareFirst hired
"The intrusion was orchestrated by a sophisticated threat actor that we have seen specifically target the health care industry over the past year," said Charles Carmakal, managing director of Mandiant.
The SANS Institute, a company that trains cyber security professionals, warned healthcare companies last spring about becoming major targets for hackers.
"While many companies do get breached, many companies find out very quickly and limit the damage. This was a case of a company not noticing for a year, and that's bad," John Pescatore, a director for the SANS institute said.
The fact that the health care company's members are primarily based in Northern Virginia, Maryland and
"Obviously, we know what's there," said Rick Holland with
Industrial spying by China is well known. On Tuesday federal prosecutors made public charges against a Chinese espionage ring that included two professors who studied together at the University of Southern California. The ring stole trade secrets and gave them to Chinese companies.
CareFirst has set up a website for people with questions about the breach and resources for people affected. http://carefirstanswers.com/