Updated CareFirst BlueCross BlueShield Statement Regarding Anthem Data Breach

Baltimore, MD (February 12, 2015) - CareFirst BlueCross BlueShield (CareFirst) was made aware last week by Anthem (like CareFirst, a Blue Cross Blue Shield company) of a cyberattack on Anthem’s information technology system and a resulting data breach. Anthem has indicated that some CareFirst members were impacted by the data breach.

We have received from Anthem certain information about the potential impact of this breach on current and former CareFirst members. We are currently engaged in the complex process of vetting that information and verifying the number and identity of those affected, and—importantly—the type of information involved. This is a complex process and will take some time to complete.

At this time, it is important to note that:

  • CareFirst members represent a small portion of the overall number of individuals affected by the Anthem breach—around 0.5 percent of the total number.
  • The most potentially sensitive data included in the breached information is Social Security Numbers (SSNs). Our early analysis of the data provided by Anthem so far suggests that this data was rarely present in the data of CareFirst members. This review and analysis will continue and be verified.

We expect to know more and have more to say regarding this matter in the next week. In the meantime, Anthem will be communicating (via letter) to all individuals affected and those individuals will be able to enroll in two years of free credit monitoring and identity theft repair services. The cost of these services will be borne by Anthem. Starting this Friday, Feb. 13, those affected will be able to visit AnthemFacts for details on how to enroll.

In addition, after carefully analyzing and verifying the data, CareFirst will directly notify those CareFirst members at the greatest risk as a result of the breach—chiefly, those apparent few where SSNs may have been compromised.

More information regarding the Anthem data breach and its impact on CareFirst members will be posted on this site as it becomes known.

In response to the breach, CareFirst is working to understand the full nature of the Anthem cyberattack and actively reviewing its security posture and technical controls. We are conducting a full scan of our technical environment and also reverse engineering the Anthem attack to look for the telltale signs of any data breach in our operating systems. This includes a forensic investigation of our technical environment, looking for any signs of intrusion, malware, hacks, or abnormal systems activity. At this time, we have found no evidence of any breaches or abnormal activity in CareFirst’s systems, network or databases.

How can CareFirst Member Information be Affected by the Anthem Data Breach?

Thirty-seven independent companies—including CareFirst BlueCross BlueShield—operate in various locations across the United States and Puerto Rico to form the Blue Cross and Blue Shield network. This network enables you to receive the same health insurance benefits for any medical care you may need while living or traveling within the coverage areas of any other Blue Cross Blue Shield company.

In those instances, your medical claim is sent, on your behalf, from the Blue Cross Blue Shield company that received it to your local Blue Cross Blue Shield company that maintains your healthcare plan. This process ensures that your claim is processed based on your personal benefit plan, while receiving the discounts agreed upon between the provider and the Blue Cross Blue Shield company that received it while you were living or traveling outside of your Blue Cross Blue Shield company’s coverage area.

Therefore, if you received care in any of the Anthem locations (listed below) within the past ten years, your claims experience may have been retained in Anthem’s database.

In all or portions of the following states: California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia, or Wisconsin.