Health insurer CareFirst says 1.1 million profiles were hacked

NEW YORK – In the latest disclosure of a cyberattack against a health insurer, CareFirst BlueCross BlueShield said attackers gained access to a database that included the names of 1.1 million people.

The company said Wednesday that the breach happened in June after a “sophisticated cyberattack.” The attackers got into a database that included the names, usernames, birth dates, email addresses and subscriber ID numbers of about 1.1 million current and former members and people who did business with CareFirst.

The attackers did not get access to members’ passwords because those are encrypted and stored in a separate system, CareFirst said. They also didn’t get access to Social Security numbers, medical claims, or credit cards, and the company said there is no evidence of other breaches.

CareFirst is based in Baltimore. It provides health insurance and services to 3.4 million people in Maryland, Northern Virginia and Washington, D.C. The company is offering two years of free credit monitoring and identity theft protection to consumers affected by the breach.

Earlier this year Anthem, the second-largest health insurer in the U.S., disclosed a data breach that affected as many as 80 million people. Premera Blue Cross, a health insurer based in the Pacific Northwest, said a breach may have exposed information belonging to 11 million people.