Anthem is once again dealing with a data breach, this one impacting more than 18,500 individuals after a contactor emailed a file with Anthem members' information to his personal email address in July 2016, according to a media alert. The contractor was an employee of LaunchPoint Ventures, a third-party contractor which provides insurance coordination services to the payer. Anthem reported the breach to the U.S. Department of Health and Human Services on July 24.
Launchpoint learned of the breach after one of its employees was was involved in "identity theft-related activities" on April 12, according to the announcement. Following the incident, LaunchPoint hired a forensics firm to investigate, which discovered the contractor's email. The firm "terminated" the employee, who is currently incarcerated and under investigation by law enforcement, though the incidents are unrelated to the Anthem email.
Once the third-party confirmed the file included protected health information, it informed Anthem of the incident on July 14. The PHI included Medicare ID numbers, which include Social Security numbers, Health Plan ID numbers, Medicare contract numbers and enrollment dates, according to the announcement.
The news of the third-party data breach comes just after Anthem agreed to pay $115 million to settle a class-action lawsuit for a 2015 data breach, which resulted in the personal information theft of 80 million members and employees. Anthem did not admit any wrongdoing and in a statement after the settlement was announced said it was "determined to do its part to prevent future attacks."
Though the payer could have stringent cybersecurity policies and data best practices, it cannot always control the actions of third-party providers. Some of the most high-profile data breaches have come at the hands of third-party providers. In a recent Target breach, hackers broke into corporate systems using network credentials from the retailer's refrigeration and HVAC provider.
But the problem is companies can't do away with the third party ecosystem. Organizations need external providers to help keep systems running, whether that's building service providers or insurance coordination services.
It's bad timing for Anthem, which certainly does not need another breach on its hands, especially since the class action lawsuit alleged that Anthem knew its IT was lacking. This breach, however, impacts far fewer people and LaunchPoint has already said it would provide information on preventing identity theft and fraud to those impacted, in addition to two years of credit monitoring and identity theft restoration services.