CareFirst BlueCross BlueShield Community Health Plan District of Columbia

On April 5, 2021, the Maine Office of the Attorney General disclosed a data breach affecting CareFirst BlueCross BlueShield Community Health Plan District of Columbia, stemming from an external hacking incident on January 25, 2021. The breach, detected three days later, compromised an external system and exposed sensitive personal data primarily Social Security numbers of approximately 211,000 individuals. The incident highlights a severe lapse in cybersecurity, as the exposed data (SSNs) poses a high risk of identity theft, financial fraud, and long-term reputational damage for the affected individuals. While the breach did not involve ransomware or a full-scale system takeover, the scale of exposed personally identifiable information (PII) underscores the potential for widespread exploitation by malicious actors. The breach’s discovery timeline suggests a rapid response, but the irreversible exposure of SSNs critical for financial and governmental verification elevates the incident’s gravity. As a healthcare insurer, CareFirst’s breach also raises concerns about compliance with HIPAA and other data protection regulations, given the sensitivity of the compromised records. The lack of immediate evidence of data misuse does not mitigate the long-term risks, as stolen SSNs remain valuable on dark web markets for years. The incident serves as a stark reminder of the persistent threats targeting healthcare providers and the cascading consequences of third-party system vulnerabilities.

Source: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/77b3c752-606d-43aa-b421-59be9670977f.shtml

TPRM report: https://www.rankiteo.com/company/carefirst-bluecross-blueshield

"id": "car607090125",
"linkid": "carefirst-bluecross-blueshield",
"type": "Breach",
"date": "1/2021",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': '211,000',
                        'industry': 'Healthcare',
                        'location': 'District of Columbia, USA',
                        'name': 'CareFirst BlueCross BlueShield Community '
                                'Health Plan District of Columbia',
                        'type': 'Healthcare Provider / Insurance'}],
 'attack_vector': 'External System Breach (Hacking)',
 'data_breach': {'number_of_records_exposed': '211,000',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Social Security numbers']},
 'date_detected': '2021-01-28',
 'date_publicly_disclosed': '2021-04-05',
 'description': 'The Maine Office of the Attorney General reported a data '
                'breach involving CareFirst BlueCross BlueShield Community '
                'Health Plan District of Columbia. The breach occurred due to '
                'an external system breach (hacking) and potentially affected '
                'approximately 211,000 individuals, with compromised '
                'information including Social Security numbers.',
 'impact': {'data_compromised': ['Social Security numbers'],
            'identity_theft_risk': 'High (SSNs compromised)'},
 'references': [{'source': 'Maine Office of the Attorney General'}],
 'regulatory_compliance': {'regulatory_notifications': 'Maine Office of the '
                                                       'Attorney General'},
 'title': 'CareFirst BlueCross BlueShield Community Health Plan District of '
          'Columbia Data Breach',
 'type': 'Data Breach'}