Anthem has reported a data breach impacting more than 18,500 members after a business associate discovered a rogue employee improperly emailed member records.
The breach was initially discovered in May by LaunchPoint Ventures, a third-party analytics company that provides insurance coordination services to Anthem, according to a media advisory released (PDF) by the insurance provider. After learning that one of its employees was involved in “identity theft-related activities” LaunchPoint discovered the employee emailed a file containing protected health information of Anthem members to his personal address.
LaunchPoint reported the incident to Anthem on June 14 and Anthem reported the breach the HHS Office for Civil Rights on July 24. LaunchPoint has terminated the employee, hired an investigator and is working with law enforcement.
Data show that insider threats still make up a large portion of data breach incidents and healthcare executives see employee security awareness and culture as their number one threat. At the same time, payer and providers favor funding for cybersecurity technology over staff hiring and training.
The breach notification comes just over a month after Anthem agreed to pay $115 million to settle a class-action lawsuit over the 2015 data breach that exposed nearly 80 million member records. Part of the settlement, which is awaiting approval by a California district court judge requires the insurer to adhere to specific security practices and devote a certain amount of money to information security.