CareFirst recently announced a “phishing” attack on an employee’s work email account, which was discovered on March 12. The attack lead to spam emails being sent from the employee’s email address and compromised the personal information of up to 6,800 CareFirst members. Since the breach was restricted to only the CareFirst employee’s emails, the compromised information included very limited personal information, none of which was medical or financial.
CareFirst will contact each potentially affected individual via letter to advise them of the attack and to provide free enrollment information for a credit monitoring and identity theft protection program.
The Federal Trade Commission (FTC) advises never to provide personal identifying information (social security number, credit card numbers, bank and utility account numbers, etc.) to anyone without being sure why they need it and that the request can be trusted. In general, CareFirst and other health insurance carriers will not request personal identifying information via email.