A new medical data breach has exposed personal health information (PHI) of more than 18,500 Anthem Medicare enrollees, due to an employee’s involvement in identity theft. Consulting firm LaunchPoint Ventures discovered the data breach on April 12 that an employee had emailed a file with information about Anthem companies’ members to his personal email address on July 8, 2016. The file contained more than 18,500 Anthem Medicare members’ Social Security and Medicare identification data. The employee has since been fired and is currently under investigation by law enforcement unrelated to the Anthem breach.
Anthem later reported the breach to the Department of Health and Human Resources on July 24. Both Anthem and LaunchPoint began notifying members about the breach and will be provided with two years of free credit monitoring and identity theft restoration services.
The recent data breach marks the second major data breach for Anthem in the past two years. Anthem recently agreed to a $115M settlement, following a 2015 cyberattrack that affected nearly 80 million plan members.
“Whether it’s a careless auto-fill of an external email address in a file sharing prompt, or a malicious attempt to leak data, as it appears to be the case in this most recent Anthem breach, healthcare organizations must use technologies like data leakage prevention (DLP) to identify sensitive patient data and to build controls around when that data can be accessed and by whom. In this incident, simple rules could have been implemented that prohibit such a large volume of patient data from being shared outside the organization without internal approval,” said Rich Campagna, CEO at Bitglass in a statement on the recent Anthem breach.