Anthem is facing a privacy breach involving 18,580 Medicare beneficiaries after a vendor employee copied company files to his personal email last summer.
About 60 of the affected Medicare enrollees live in Florida, according to an Anthem spokesman.
The employee who emailed Anthem records to his personal email worked for LaunchPoint Ventures, which is based in Indiana and performs insurance coordination for Anthem, which is headquartered in Indianapolis.
The vendor employee was fired and is under investigation by law enforcement officials for matters unrelated to the breach, according to Anthem. The employee has been incarcerated.
“LaunchPoint is providing those impacted with information on how to better protect against potential identity theft and fraud, as well as access to two years of credit monitoring and identity theft restoration services with AllClear ID at no cost,” Anthem said in a statement.
The company learned that personal information of Anthem clients that was compromised includes Medicare identification numbers, Social Security numbers, health plan identification numbers, Medicare contract numbers and date of enrollment.
“A very limited number of last names and dates of birth were also included,” Anthem said.
LaunchPoint learned on April 12 that one of its employees was likely involved in identity theft-related activities, and it hired a forensic team to investigate.
On May 28 the company learned that some other non-Anthem data may have been misused by the same employee. LaunchPoint learned the employee had emailed a file of information about Anthem companies’ members to his personal email address on July 8, 2016, according to Anthem. The action violated LaunchPoint’s policies.
LaunchPoint confirmed on June 12 that the copied file included protected health information of Anthem clients and reported it to Anthem two days later.
“The investigation is ongoing,” Anthem said. “LaunchPoint does not have any information to suggest that the data on the file was misused.”
Anthem reported the breach to the U.S. Department of Health and Human Services’ Office for Civil Rights on July 24, according to the HHS. Data breaches involving the protected health information of more than 500 people must be reported to the federal agency to investigate.
The breach brings a new round of inquiry into Anthem and its contracted vendors. The insurance giant announced in June that it has agreed to pay $115 million to settle class-action lawsuits stemming from a 2015 breach that affected the personal information of 78.8 million customers nationwide.
In that breach, a system administrator saw a database query was running with his identifier code and he had not initiated the query.
The settlement agreement, the largest ever in a data breach case, is scheduled to be heard Aug. 17 in the U.S. District Court for the Northern District of California in San Jose.
Besides offering class members in the settlement an additional two years of credit monitoring, the settlement includes $15 million to pay for out-of-pocket costs incurred by class members, up to a set amount.
In reaching the settlement, Anthem did not admit wrongdoing or that the individuals were harmed as a result of the breach. At the time of the 2015 breach, Anthem covered 37 million people in the U.S.