CareFirst BlueCross BlueShield announced today that it recently discovered it was the target of a sophisticated cyberattack. The attack occurred in June 2014 and affected a single database which houses data for the member portal known as MyAccount.

According to an outside cybersecurity review engaged by CareFirst, the data breach included member name, date of birth, member ID number, user name and email address. Because CareFirst stores user names and passwords for MyAccount in separate databases, the attacker did not gain access to the underlying data in MyAccount. Therefore, the breach did not include data regarding member passwords, social security numbers, medical records, or financial information.

In order to protect member information, CareFirst immediately disabled the MyAccount user name and passwords for all registered users. All members that use CareFirst’s online services will need to visit and change their user name and password on their MyAccount portal.

The attack affects approximately 1.1 million CareFirst members who registered to use CareFirst’s online services prior to June 2014. All affected members will receive an individual letter from CareFirst and will be offered two years of free credit monitoring and identity theft protection.

If you sponsor a CareFirst plan, we recommend that you notify your participants as soon as possible. For more information and FAQ’s, please visit We will continue to share updates from CareFirst as they become available.