Health insurance plan provider Anthem says a third-party breach might have exposed 18,500 customers’ personal and medical data.In a statement (PDF), Anthem media contact Gene Rodriguez reveals how the security incident links back to LaunchPoint Ventures LLC, a firm which provides insurance coordination services to Anthem:“On April 12, 2017, LaunchPoint, learned that one of its employees was likely involved in identity theft related activities. LaunchPoint hired a forensic firm to investigate. On May 28, 2017, LaunchPoint learned that some other, non-Anthem data, may have been misused by the employee. LaunchPoint then learned the employee emailed a file with information about Anthem companies’ members to his personal email address on July 8, 2016. This action violated LaunchPoint’s policies. The investigation is ongoing. LaunchPoint does not know if the email was related to a legitimate work purpose.”LaunchPoint took it upon itself to review the emailed file for personal health information (PHI) that belonged to Anthem members. By June 12, 2017, it had found that the file contained Medicare ID numbers, which includes Social Security Numbers, Health Plan ID numbers, and other medical information, as well as a small number of last names and dates of birth. The insurance coordination firm then notified Anthem on June 14, 2017.
A month and a half later, the affected insurance plan provider informed the U.S. Department of Health and Human Services about the incident. Its case is still under investigation as of this writing.LaunchPoint began notifying affected customers on the same day the U.S. government received a report about the breach. Rodriguez says the two companies did a lot of work leading up to and in support of the notification process. As she told CNBC News:“Anthem had to work with LaunchPoint to determine if the information contained in the report corresponded to Anthem family health plan members. We had to ensure LaunchPoint had accurate address information in order to notify those impacted.”The insurance coordination firm is offering two years of credit monitoring and identity protection services to affected members at no cost to them.In the meantime, LaunchPoint has terminated the offending employee, whom law enforcement officers have since arrested on charges unrelated to the emailed file. The company is also working to strengthen its existing policies and procedures in an effort to prevent similar events from occurring in the future.News of this breach follows just over a month after Anthem agreed to pay $115 million to settle a class-action lawsuit over the 2015 data breach that compromised the personal information of nearly 80 million customers.