1.1 million CareFirst members in D.C.-area potentially breached

As many as 1.1 million Washington, D.C., BlueCross BlueShield members may have had their information accessed in a cyber-breach that occurred in June of 2014.

CareFirst BlueCross BlueShield announced Wednesday it had been the target of a "sophisticated cyberattack," the company said in a release.

The attackers could have potentially acquired members' names, birth dates, email addresses and subscriber identification numbers.

However, CareFirst said its user names must be used in conjunction with a member-created password to gain access to underlying member data on the website.

The database that was breached did not include these passwords, which were encrypted and stored in a separate system as a safeguard against such attacks.

That means the attackers did not have access to member Social Security numbers, medical claims, employment, credit card, or financial information, CareFirst said.

The company is blocking member access to the accounts that might have been compromised, and is asking members to create new user names and passwords for them.

All affected users will be sent letters granting them two years of free credit monitoring and identity theft protection, the company said in a statement posted on its site.

The attack came to light when CareFirst hired Mandiant, the cyber-forensics unit of computer security company FireEye, to review its security in the wake of recent cyber attacks on other health insurers.

"The intrusion was orchestrated by a sophisticated threat actor that we have seen specifically target the health care industry over the past year," said Charles Carmakal, managing director of Mandiant.

The fact that the health care company's members are primarily based in Northern Virginia, Maryland and Washington D.C. is not lost on people in the security community.

"Obviously, we know what's there," said Rick Holland with Forrester Research, contemplating the heavy concentration of government, military and contractors in the region.

There has been speculation that previous health care computer breaches could also be linked to China, including those at Anthem, Premera and Community Health System.

Industrial spying by China is well known. On Tuesday federal prosecutors made public charges against a Chinese espionage ring that included two professors who studied together at the University of Southern California. The ring stole trade secrets and gave them to Chinese companies.