Anthem's Latest Headache: Business Associate BreachBA's Incarcerated Employee at Center of Breach Affecting Thousands
Health insurer Anthem Inc., still dealing with the aftermath of a 2015 cyberattack that affected nearly 79 million individuals, now is coping with another - albeit smaller - breach incident. This one involves a business associate's former employee who's currently incarcerated.
Anthem's latest breach headache underscores the security risks posed by business associates - and their employees.
"Unfortunately, you can never entirely eliminate the risk of a breach from a business associate," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "Often, the best you can do is reasonable due diligence, such as inquiring as to whether an independent third party has audited the business associate's information security practices, confirming that the business associate reasonably screens employees who will have access to protected health information and other confidential information, and relying on insurance to cover the remaining risk that can't be eliminated."
Medicare Members Impacted
Anthem Inc. on July 24 reported to federal regulators an unauthorized access/disclosure breach involving email and affecting 18,580 individuals, according to the Department of Health and Human Services' HIPAA Breach Reporting Tool website, commonly called the "wall of shame".
In a statement, Anthem says the incident - which potentially affects Medicare members of all Anthem companies and subsidiaries - involved a former employee of Launchpoint Ventures, an Indiana-based vendor that provides Anthem with insurance coordination services.
LaunchPoint is notifying affected individuals, Anthem says. The vendor is also providing those impacted with access to two years of free credit monitoring and identity theft restoration services.
Potentially compromised information includes Medicare ID numbers - which includes a Social Security number, health plan ID numbers, Medicare contract numbers and dates of enrollment. A very limited number of last names and dates of birth were also included, Anthem says.
An Anthem spokeswoman tells Information Security Media Group that the breach affected Anthem Medicare members in all 21 states where the company does business. Among the hardest hit states, however, were California, Georgia, Indiana, Kentucky, New York and Ohio, she says. At least 500 individuals in each of those states were affected, "triggering us to issue media notices" in those states, she says.
Anthem says that on April 12, "LaunchPoint learned that one of its employees was likely involved in identity theft related activities." Anthem declined to say how LaunchPoint learned about its employee's alleged criminal activities. But LaunchPoint hired a forensics firm to investigate.
On May 28, LaunchPoint learned that some other, non-Anthem data, "may have been misused by the employee."
LaunchPoint then learned the employee emailed a file with information about Anthem members to his personal email address back in July of 2016. "This action violated LaunchPoint's policies. The investigation is ongoing. LaunchPoint does not know if the email was related to a legitimate work purpose," Anthem says in the breach notice sent to the news media.
On June 12, LaunchPoint confirmed the file emailed by the employee to his personal email address last year included the protected health information of Anthem members, and the business associate reported the incident to Anthem on June 14.
"LaunchPoint does not have any information to suggest that the data on the file was misused," Anthem says.
The vendor has terminated the employee, hired a forensic expert to investigate and is working with law enforcement, Anthem says.
"The employee has been incarcerated and is under investigation by law enforcement for matters unrelated to the e-mailed Anthem file," Anthem reports. "LaunchPoint is reinforcing existing policies and protocols and is evaluating additional safeguards to prevent any similar incidents from occurring in the future."
LaunchPoint did not immediately respond to ISMG's request for comment.
The messy business associate breach involving Anthem member data "is sadly, a fairly typical incident," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "While a business associate has their own HIPAA compliance obligations, the covered entity is still stuck with the breach notification obligations, even where they are not at fault in any way," he says.
"The situation here at the business associate seems somewhat common - an insider with permitted access to certain data misuses this data. We see these cases regularly. That doesn't mean that its acceptable - just that it's common and frequent."
All business associates and covered entities need to build a program to examine insider access, Nahra says. "If they can't control front end access - which usually is no more than a partial solution - they need to think about back end monitoring and investigations."
Steps to Take
Steps can be taken to help reduce the risk of employees emailing sensitive data without authorization, Greene says.
"Data loss prevention technology is one means of ensuring that employees cannot email sensitive information using personal email," he says. "But it is a costly technology, both in terms of financial expenditure and the staff needed to maintain it - such as reviewing every alert - so it is not reasonable for every organization."
If an organization determines that technology such as DLP is not reasonable based on their size and limited resources, "they may want to consider documenting this analysis to be able to show a regulator that they considered the technology and why it was not appropriate to adopt it at the time," in case there's a breach, Greene adds. "It should be a well thought-out analysis, considering the risk to the organization versus the benefit of the technology. You never want to hand over a document to a class action attorney that simply says 'no budget for DLP this year.'"
In addition to implementing technology tools such as DLP, attorney Marti Arvin, vice president of audit strategy at security consultancy CynergisTek, says it's critical that organizations provide "strong training of the workforce to ensure they understand the company's policy regarding emailing PHI and the use of personal email accounts." She notes that while the LaunchPoint incident "appears to be an employee acting nefariously, emailing PHI to a personal email account in an unsecure manner could still constitute a breach."
Nahra says the main lesson to be learned from the latest Anthem breach is that "insider problems are real and need to be examined, and that it is really hard to prevent all of these issues. But companies need to focus on reducing risks, looking for potential problems and then being able to investigate where a red flag is raised. "
Class Action Settlement
Just last month, Anthem agreed to a proposed $115 million deal to settle a class action lawsuit over the 2015 cyberattack that resulted in a breach affecting about 78.9 million individuals. If approved in August by the California federal court handling the consolidated case, the deal would be the largest data breach settlement ever reached (see $115 Million Settlement in Massive Anthem Breach Case).