A month after it agreed to settle 2015’s massive data breach, Anthem Inc., the United States’ largest healthcare company, has a new problem on its hands.
The Indianapolis-based company began notifying 18,000 members affected by another unrelated data breach last week.
Anthem reported the breach on July 24 to the U.S. Department of Health and Human Services Office for Civil Rights, which keeps track of data breaches per 2009’s HITECH Act.
According to Anthem, the breach stems from a 2016 incident involving a third-party company, LaunchPoint Ventures, that provides insurance coordination services to Anthem. LaunchPoint said last week that on July 8, 2016 an employee emailed a file containing personal information about Anthem members to his personal email address. LaunchPoint didn’t learn of the incident until April of this year, 10 months after the fact.
The company says the employee, who has since been fired, jailed and is under investigation for an unrelated incident, was “likely involved in identity theft related activities.” LaunchPoint learned the employee was involved in the activities in April and learned a month later, in May, that some non-Anthem data may have been misused during his tenure at the company.
It took several weeks but according to Anthem, LaunchPoint was eventually able to confirm in mid-June that the file the employee emailed contained sensitive health information pertaining to Anthem members. The file contained individuals’ Medicare ID numbers, Social Security numbers, Health Plan ID numbers, Medicare contract numbers, and dates of enrollment. The companies claim that in some limited instances, individuals last names and dates of birth were also included but that they’re notifying those members directly.
In a blog post last Monday, Anthem said the incident could ultimately affect 18,580 Medicare members. It’s unclear at this point whether the victims are confined to a specific regional branch of Anthem or spread out nationwide. Regardless, as is customary following incidents like this, LaunchPoint said it’s working with law enforcement on an investigation and is supplying victims with two years of credit monitoring and identity theft restoration services.
While the incident wasn’t technically Anthem’s fault, it’s still the latest in a series of rough patches for the company.
The company agreed in late June to pay $115 million to settle a 2015 breach of data belonging to 79 million members. Data in that breach, which was far worse both in scope and sheer number of records, contained individuals names, dates of birth, member IDs, Social Security numbers, addresses, phone numbers, email addresses, and employment information.
The judge presiding over the case, Lucy Koh of the United States District Court for the Northern District of California, is scheduled to hear the Plaintiff’s motion later this month, on August 17. If approved the settlement will mark the largest pertaining to a data breach in recorded history.