Anthem Health Insurance is once again reporting a data breach, this time 18,500 members had their records emailed to the private email address of a staffer at a third-party vendor.
The first indication that there was a problem came in April when Anthem’s insurance coordination firm LaunchPoint Ventures realized one of its employees was likely involved in identity theft activities, Anthem said in a release. On May 28 LaunchPoint discovered the worker had misused another company’s data as well as having emailed a file containing the Anthem membership records to his personal account on July 8, 2016.
LaunchPoint investigated the incident and on June 12 reported the email did contain Protected Health Information and two days later reported the case to Anthem.
“The personal information on the file primarily included Medicare ID numbers (HICN) which includes a Social Security number, Health Plan ID numbers (HCID), Medicare contract numbers, and dates of enrollment. A very limited number of last names and dates of birth were also included,” Anthem reported.
The members involved are now being contacted.
The LaunchPoint employee has since been fired and arrested, but on charges unrelated to this case, Anthem said.
Security issues involving third-party vendors have been a primary reason for data breaches and is an area companies of all sizes must examine, Gaurav Banga, founder and CEO of Balbix, told SC Media.
“Businesses need to better assess risk of data exfiltration and malicious intent across the enterprise, including third party contractors. Specifically finding the data stores within the enterprise that have a high business impact and are at an increased likelihood from being attacked by infected devices or malicious users, can help predict and prevent such attacks, before they happen. Continuous risk assessment and monitoring of the enterprise attack surface can reveal such risks proactively,” he said.
In 2015 Anthem was involved in a massive hacking incident that saw 80 million customer records compromised. It recently agreed to pay $115 million to settle a class action suit centered on that incident.