Maggie Miller and Laura Kelly report: CareFirst BlueCross BlueShield’s Community Health Plan District of Columbia (CHPDC) suffered a data breach carried out by what it described as a “foreign cybercriminal” group in January that potentially impacted sensitive data, the company told customers this week. The insurance provider notified customers in writing through a letter obtained by The Hill and through an online announcement on Monday. The company wrote that the breach had taken place Jan. 28, and that the company had notified both the FBI and the Office of the Attorney General for the District of Columbia, and was working with cybersecurity group CrowdStrike in responding to the security incident. Read more on The Hill. CareFirst’s statement can be found on their web site.
From EPIC.org: The D.C. Circuit has ruled that it lacks jurisdiction to hear the appeal of CareFirst customers whose data was stolen in a 2014 data breach. The lower court in Attias v. CareFirst dismissed most of the plaintiffs and claims in the case for failure to allege damages and certified the dismissed claims for appeal. The D.C. Circuit determined that some of the claims could not be appealed until the remaining claims were resolved by the lower court, and it was not clear whether the district court judge intended to certify the claims of the dismissed plaintiffs alone. The decision comes over a year after the parties briefed the substantive questions on appeal. EPIC filed an amicus brief that urged the court to impose a duty of reasonable data protection on businesses to ensure that companies protect the personal data they collect. EPIC also filed an amicus brief in the case the last time it was in the D.C. Circuit on a challenge to consumer standing. The D.C. Circuit held that the CareFirst consumers had standing to sue for the data breach.
Morgan Eichensehr reports: CareFirst BlueCross BlueShield, Maryland’s largest health insurer, has been the victim of a “phishing” email attack that potentially affected 6,800 of its members. This breach comes about three years after CareFirst weathered another cyberattack that affected more than 1 million of its members. The Baltimore company has 75 percent market share in the state and covers about 3.2 million members in the mid-Atlantic region. Read more on Baltimore Business Journal. Update: here’s their press release: Baltimore, Md., March 30, 2018 (GLOBE NEWSWIRE) — CareFirst BlueCross BlueShield (CareFirst) today announced that the company has been the victim of a “phishing” email attack potentially affecting 6,800 CareFirst members. Phishing attacks use deceptive emails and websites to gather personal information. On March 12, CareFirst determined that an employee was the victim of a phishing email which compromised the employee’s email account. The compromised email account was used to send spam messages to an email list of individuals not associated with CareFirst. However, because the email account was compromised, the attackers gained access to the employee’s email and could have potentially accessed personal information of 6,800 CareFirst members, including names, member identification numbers, date of birth, and in limited cases (8 individuals) social security numbers. No medical or financial information was compromised. The original phishing message and the resulting spam messages have been forensically examined by CareFirst’s information security team as well as by a 3rd party information security firm. CareFirst’s systems in general were also forensically analyzed. There was no evidence of malware in the phishing email or spam and no other suspicious activity was detected within CareFirst’s systems. The individual email account was reset. Though the information accessible in the email account would be of limited use to an attacker and there is no evidence that CareFirst member information has been improperly used, CareFirst will offer free credit monitoring and identity theft protection for those affected for two years. Potentially affected members will be contacted directly by CareFirst with information on enrolling in the protections being offered. CareFirst has a comprehensive information security program and employees must annually complete mandatory information security training. CareFirst conducts an ongoing security awareness program for employees through which employees are educated about cyberattack tactics about which they must remain vigilant.
Daniel Kagan of Murtha Cullina cuts to the chase: On February 16, 2018, the U.S. Supreme Court denied certiorari to review CareFirst’s appeal of the U.S. Court of Appeals, D.C. Circuit’s decision in Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017). The D.C. Circuit held that the threat of harm from a data breach is enough to satisfy the “injury in fact” standing requirement. Other circuit courts of appeal have reached the opposite conclusion. Unfortunately, the U.S. Supreme Court will not be addressing that circuit split this session. See our previous entry on the CareFirst case. Kristin Ann Shepard of Carlton Fields has a bit more to say: ….. In the absence of Supreme Court guidance on this issue, we anticipate that district courts within the District of Columbia, Sixth, and Seventh Circuits – which have ruled favorably for plaintiffs on the standing issue – will emerge as the forums of choice for data breach class actions. By contrast, defendants will likely seek to consolidate data breach class actions in the district courts within the Eighth and Fourth Circuits, which have taken a narrower approach. Does the denial of certiorari indicate a reluctance by the Court to weigh in on other thorny standing issues? As we previously reported, the Supreme Court recently denied a petition for writ of certiorari in Spokeo II, which asked the Court to resolve a circuit split over whether intangible harm to a statutorily-protected interest constitutes injury in fact even when a plaintiff cannot allege “real-world” harm or the imminent risk thereof. Until the Supreme Court addresses these questions, expect confusion rather than clarity to govern key standing issues in the class action context. Is the Supreme Court’s refusal to hear these cases perhaps its way of saying that maybe Congress should try to use a legislative approach? If so, let me just point at our dysfunctional Congress and laugh hysterically at their naive hope.
Evan Sweeney reports: The U.S. Supreme Court has denied an appeal filed by CareFirst to review a case stemming from a 2014 data breach. The Supreme Court issued its decision on Tuesday, eliminating the possibility, for now, that the court will weigh in on questions about whether the possibility of harm from a data breach is enough for victims to bring legal action. It would have been the first data breach case to reach the high court. Read more on Fierce Healthcare.
Jessica Davis reports: Maryland-based CareFirst has filed a final appeal to the U.S. Supreme Court to hear its data breach case, arguing that without a high court review, companies in every sector will be hit with a “flood” of data breach lawsuits in the future. The appeal stems from a decision by the U.S. Court of Appeals in the District of Columbia in August that allowed the 1.1 million members impacted by CareFirst’s data breach in 2014 to pursue a lawsuit against the company. Read more on Healthcare IT News.
Elizabeth Snell reports: November 13, 2017 – A petition for writ of certiorari was recently filed with the US Supreme Court, pushing the CareFirst data breach case forward. CareFirst wants its case reviewed, which could potentially reignite the debate over how plaintiffs need to establish that injuries took place from a data breach. In August 2017, the US Court of Appeals for the District of Columbia Circuit reversed a previous ruling in the CareFirst case. The appeals court said “the district court gave the complaint an unduly narrow reading,” and that the plaintiffs “cleared the low bar to establish their standing at the pleading stage.” Read more on HealthIT Security.
Brendan Pierson reports: A federal judge has dismissed a proposed class action over a 2015 cyberattack against health insurance company CareFirst BlueCross BlueShield that compromised the data of about 1.1 million people. U.S. District Judge Christopher Cooper in Washington, D.C. ruled Wednesday that the CareFirst policyholders who brought the lawsuit had not shown that they faced actual harm, noting that the most sensitive information, such as Social Security and credit card numbers, was not compromised by the attack. Read more on Reuters and Law360, although you’ll need subscriptions to access their full coverage. This is the second suit CareFirst was able to get dismissed. Another lawsuit was dismissed in May. For previous coverage of the breach itself and follow-up, search this blog for CareFirst.
Sometimes doing the right thing can be costly. In the wake of increasing attacks on health insurers (e.g., Anthem, Premera), CareFirst BlueCross BlueShield retained Mandiant to do an end-to-end assessment of their information security environment. The assessment included multiple scans to determine if there was any evidence of any attack. On April 21, 2015, Mandiant uncovered evidence of an attack that occurred on June 19, 2014 and that resulted in limited unauthorized access to a database used for a website accessed by registered CareFirst brokers. The attackers could have been able to access the names, usernames, and Social Security numbers. The attackers would not have been able to obtain other information, however, because the companion passwords for the usernames were encrypted and stored in a separate system. CareFirst notified approximately 1.1 million current and former brokers and members of the breach and offered them two years of Experian’s ProtectMyID services. Mandiant reportedly found no evidence of any other compromise or breach in their systems. Kudos to CareFirst BlueCross BlueShield for investing in this type assessment of their security and then for responding to the findings in a matter of weeks. Note: this breach had previously been reported on this site, including the fact that CareFirst had thought it had remedied the breach but hadn’t when it was first discovered. The point of this blog post is to stress the value of bringing in outside experts to assess your system.
Steve Ragan reports: Last week, CareFirst BlueCross BlueShield (CareFirst) reported a data breach that was initially discovered last year. When the incident was first noticed, the company assumed they had taken care of the problem – only to learn that wasn’t the case ten months later. The healthcare sector has taken center stage in the recent months as criminals shift from retail and finance towards easier targets. Unfortunately, most healthcare organizations are operating under a number of flawed assumptions concerning security and it’s starting to cause serious problems. Read more on CSO.