More than a million Washington, DC, BlueCross BlueShield members’ information could have been compromised in a cyber-breach, which took place in 2014. According to the company, it was announced by CareFirst BlueCross BlueShield that it had been the target of a ‘sophisticated cyberattack’.

Members' names, birth dates, email addresses and subscriber identification numbers could have been acquired by the attackers. But, according to CareFirst, its user names have to be used in combination with a member-created password in order to gain access to underlying member data on the website.

The breached database was not including these passwords that were encrypted and stored in a different system. This was done as a protection against such attacks. According to CareFirst, this indicates that the attackers were not able to know member Social Security numbers, employment, medical claims, credit card, or financial information.

The company will block member access to the accounts, which may have been compromised; it is asking members for creating new user names and passwords for them. The company said in a statement that it posted on its site, it will send letters to all users who suffered and will grant them free credit monitoring for two years in addition to identity theft protection.

News regarding the attack broke when CareFirst hired Mandiant for reviewing its security after cyber attacks on other health insurers. According to Charles Carmakal, managing director of Mandiant, "The intrusion was orchestrated by a sophisticated threat actor that we have seen specifically target the health care industry over the past year".

There were rumors that previous health care computer breaches could have a connection with China together with those at Anthem, Premera and Community Health System.