Back in June, cyber security experts believed that Anthem Inc., the largest health insurance company in the US, had learnt its lesson after being fined $115 million for a data breach that compromised personal details of over 79 million customers.
It has now come to light that Anthem has suffered another data breach thanks to mishandling of sensitive data by a third party.
The latest data breach is said to have exposed Social Security numbers and Medicare identification data of over 18,500 Anthem Medicare members. The breach occurred after an employee of one of Anthem's consulting firms maliciously stole the data and leaked it to unauthorised parties.
LaunchPoint Ventures, the consultancy firm in question, discovered the breach as far back as in March when it turned out that an employee had emailed Social Security numbers and Medicare identification data of over 18,500 Anthem Medicare members to his personal email address last year.
The firm informed Anthem of the breach in May and after completing its own investigation of the breach, Anthem informed law enforcement on 24th July. The employee in question was terminated and is now facing legal action.
"Anthem had to work with LaunchPoint to determine if the information contained in the report corresponded to Anthem family health plan members. (We) had to ensure LaunchPoint had accurate address information in order to notify those impacted," said Gene Rodriguez, public relations director at Anthem.
Anthem has promised that it will be offering free credit monitoring and identity theft restoration services to affected customers for a period of two years.
'It doesn’t matter if it's a careless mistake or a malicious attempt to leak data, healthcare organisations must put in place measures to identify sensitive patient data and build controls around when that data can be accessed and by whom,' says Rich Campagna, CEO at Bitglass.
'In this latest Anthem incident, simple data security rules could have been put in place to prohibit such a large volume of patient data from being shared outside the organisation without internal approval.
'Healthcare organisations are major targets and will see any and all lapses in security exploited by malicious individuals, both internal and external. As healthcare organisations make patient data more accessible to individuals and new systems, they must make information security their top priority,' he adds.
Earlier this month, insurance firm Bupa also announced that one of its employees inappropriately copied and removed data belonging to 108,000 international health insurance customers. The employee managed to obtain personal information of these customers but their medical and financial information is secure.
Data compromised by the employee included names, dates of birth, nationality, membership numbers and some contact and administrative information. Bupa has also confirmed that the information has been shared with third parties.
'Unfortunately, there is no silver bullet solution to solve an employee error, but if companies take a layered approach that includes awareness and education alongside preventive and detective controls they will be much more secure,' said Darran Rolls, CISO & CTO at SailPoint.
Considering that placing excessive restrictions on access to the cloud may hamper the productivity of employees, companies can control critical data by taking a governance-based approach to identity and access management. There should be a balance between enhanced user access and new IT visibility and controls, he added.