Anthem suffers data breach…again

Just last month it was announced that Anthem had reached a proposed landmark $115 million settlement for a historic data breach involving 78.8 million of its customers. The settlement is yet to be approved by a judge.

The latest breach affects more than 18,500 Anthem members and was discovered by LaunchPoint Ventures LLC (LaunchPoint), which provides insurance coordination services to Anthem.

Timeline of events:

April 12, 2017

LaunchPoint revealed that one of its employees had potentially been involved in identity theft activities.

May 28, 2017

LaunchPoint opened an investigation and enrolled the services of a forensics company to assist. This investigation revealed that some other non-Anthem data had been misused by the employee: The employee had sent a file containing a number of personal details about Anthem customers to a personal email address on July 8, 2016.

According to a report, the personal information included Medicare ID numbers, Social Security numbers, health plan ID numbers, enrollment dates, and a very limited number of surnames and dates of birth.

June 12, 2017

LaunchPoint established that the information included “Protected Health Information (“PHI”) of Anthem members.”

June 14, 2017

LaunchPoint informed Anthem of the breach, although it did “not have any information to suggest that the data on the file was misused.”

July 24, 2017

Anthem reported the breach to the Department of Health and Human services.

In a press release, Anthem confirmed that the employee had been fired and is under investigation for other unrelated matters, and that LaunchPoint is working with law enforcement.

The statement also read:

LaunchPoint is reinforcing existing policies and protocols and is evaluating additional safeguards to prevent any similar incidents from occurring in the future. LaunchPoint is providing those impacted with information on how to better protect against potential identity theft and fraud, as well as access to two years of credit monitoring and identity theft restoration services with AllClear ID at no cost.

Educate your staff and protect your company

The breach is a reminder that an organization’s employees – malicious or not – pose a threat to data. Staff awareness training can help combat insider threats by making sure that staff who have access to sensitive data have the correct knowledge and an understanding of information security. Enroll your staff on our Information Security Staff Awareness eLearning Course to make sure that they understand what is expected of them.

In addition, it’s vital that organizations have the right security controls in place to prevent attacks such as this. Lack of user access management could allow unauthorized staff access to highly sensitive customer information, which could result in a similar situation.

IT Governance offers a range of cybersecurity solutions. For more information, read our Cyber Testing Playbook.