- An Anthem vendor recently announced that it suffered a potential data breach that could impact 18,580 Medicare members.
LaunchPoint Ventures, LLC (LaunchPoint) is a Medicare insurance coordination services vendor. The organization learned on April 12, 2017 that one of its employees “was likely involved in identity theft related activities.”
LaunchPoint learned in its subsequent investigation that “some other non-Anthem data may have been misused by the employee” and that the employee emailed a file with PHI to his personal email address.
The vendor explained that it does not know if the email was work-related, but said the investigation is ongoing.
LaunchPoint notified Anthem of the potential PHI security breach on June 14, 2017.
Information in the emailed file included Medicare ID numbers (which includes a Social Security number), health plan ID numbers, Medicare contract numbers, dates of enrollment, and limited numbers of last names and dates of birth.
“LaunchPoint terminated the employee, hired a forensic expert to investigate, and is working with law enforcement,” read Anthem’s online statement. “The employee is in prison and is under investigation by law enforcement for matters unrelated to the e-mailed Anthem file.”
Impacted Medicare members will have access to two years of credit monitoring and identity theft restoration services, and will also receive information on how to better protect against potential identity theft and fraud, according to LaunchPoint.
This is the second large-scale data breach to affect Anthem in the past two years. Anthem suffered a cybersecurity attack that impacted 78.8 million consumers in 2015.
Anthem discovered the incident on January 27, 2015 but did not publicly report the information until February 2015.
Hackers infiltrated an Anthem data base, and may have compromised names, dates of birth, medical IDs or Social Security numbers, street addresses, and email addresses.
Anthem CEO Joseph Swedish said in a statement at the time of the initial breach reporting that it was a “very sophisticated external cyber attack” and the IT system was breached despite Anthem’s best efforts and “state-of-the-art information security systems.”
A California Department of Insurance report determined with a “high degree of confidence” that the incident stemmed from a foreign nation attack. The report “concluded with a medium degree of confidence that the attacker was acting on behalf of a foreign government.”
“This was one of the largest cyber hacks of an insurance company's customer data," Insurance Commissioner Dave Jones said in a statement. “Insurers have an obligation to make sure consumers' health and financial information is protected. Insurance commissioners required Anthem to take a series of steps to improve its cybersecurity and provide credit protection for consumers affected by the breach.”
The Department report said Anthem took reasonable measures to protect its data before the data breach. Anthem had also employed a remediation plan, which helped lead to a quick and effective breach response, according to the findings.
The initial breach was found to have taken place on February 18, 2014 when a user within one of Anthem's subsidiaries opened a phishing email.
“Opening the email permitted the download of malicious files to the user's computer and allowed hackers to gain remote access to that computer and at least 90 other systems within the Anthem enterprise, including Anthem's data warehouse,” the Department stated.
More recently, a $115 million settlement was proposed, which would require Anthem to guarantee a certain level of funding for information security and to implement or maintain data security system changes.
The insurance provider still denies “any wrongdoing whatsoever,” according to court documents. The proposed settlement “shall in no event be construed or deemed to be evidence of or an admission or concession,” Anthem added.
“After two years of intensive litigation and hard work by the parties, we are pleased that consumers who were affected by this data breach will be protected going forward and compensated for past losses,” plaintiffs’ Co-lead Counsel Eve Cervantez said, according to a Girard Gibbs LLP post.