CareFirst BlueCross BlueShield has notified 6,800 members that their personal information may have been compromised as part of an email phishing attack at the beginning of last month.

On March 12, the Maryland insurer determined one of its employees fell victim to a deceptive email campaign. The attackers gained access to the employee’s email and could have potentially viewed personal information for nearly 7,000 members, including member identification numbers. A small number of records included social security numbers, but no financial or medical information was compromised, CareFirst said in an announcement.

“The original phishing message and the resulting spam messages have been forensically examined by CareFirst’s information security team as well as by a 3rd party information security firm,” the company wrote. “CareFirst’s systems in general were also forensically analyzed. There was no evidence of malware in the phishing email or spam and no other suspicious activity was detected within CareFirst’s systems. The individual email account was reset.”

Digital Transformation Unlock the Digital Front Door with an App The Member Mobile App is the smarter and better way to engage members anytime and anywhere. Members can find the right doctors, receive alerts, track spending, use telehealth, and more — all within a guided, intuitive, and seamless experience. Built exclusively for payers, it is ready to install and launch in a few months. Request a consult on how to enable the digital front door with the Mobile App, today. Request a Consult

CareFirst will offer two years of free credit monitoring to those affected.

The notification comes weeks after the Supreme Court denied CareFirst’s appeal to review a lawsuit stemming from a 2014 data breach that compromised information for 1.1 million members. A D.C. appeals court previously ruled that members of the class-action lawsuit had sufficiently demonstrated the possibility of harm associated with the breach was substantial enough to bring claims against the insurer.

Phishing scams are frequently used by attackers to gain access to healthcare systems, and research shows unintended disclosures account for a large chunk of reported breaches. Earlier this year, a Florida agency that oversees the state’s Medicaid program said a phishing attack potentially impacted 30,000 individuals.